Update windows_compatibility_telemetry_tampering_through_registry.yml

nasbench · web-flow · commit dac07f62d0c4 · 2025-02-19T20:59:45.000+01:00
diff --git a/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml b/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml
@@ -5,7 +5,7 @@ date: '2025-02-13'
 author: Steven Dick
 status: production
 type: TTP
-description: The following analytic detects the execution of CompatTelRunner.exe with parameters indicative of a process not part of the normal "Microsoft Compatibility Appraiser" telemetry collection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.
+description: This detection identifies suspicious modifications to the Windows Compatibility Telemetry registry settings, specifically within the "TelemetryController" registry key and "Command" registry value. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.
 data_source: 
 - Sysmon Event ID 13
 search: |-
