What is the TelemetryController backdoor technique and how does it achieve persistence?

The TelemetryController backdoor technique abuses the Windows Compatibility Telemetry service, which runs the `CompatTelRunner.exe` process via the scheduled task **Microsoft Compatibility Appraiser**. An attacker modifies the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController` by adding a `Command` value pointing to malicious code (e.g., `notepad.exe`). When the scheduled task triggers, `CompatTelRunner.exe` executes the attacker's command with **System** privileges, achieving persistence without detection by many autoruns tools. This method is analyzed in detail in Analysis of Backdoor Implementation Using TelemetryController.