Privilege Escalation with Autoruns
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!
WMIC
Wmic can be used to run programs on startup. See which binaries are programmed to run is startup with:
Scheduled Tasks
Tasks can be schedules to run with certain frequency. See which binaries are scheduled to run with:
Folders
All the binaries located in the Startup folders are going to be executed on startup. The common startup folders are the ones listed a continuation, but the startup folder is indicated in the registry. Read this to learn where.
Registry
Runs
Commonly known AutoRun registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceHKCU\Software\Microsoft\Windows\CurrentVersion\RunHKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceHKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunHKCU\Software\Wow6432Npde\Microsoft\Windows\CurrentVersion\RunOnceHKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceHKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
Registry keys known as Run and RunOnce are designed to automatically execute programs every time a user logs into the system. The command line assigned as a key's data value is limited to 260 characters or less.
Service runs (can control automatic startup of services during boot):
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceHKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceHKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesHKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnceHKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnceHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesHKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices
RunOnceEx:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceExHKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx
On Windows Vista and later versions, the Run and RunOnce registry keys are not automatically generated. Entries in these keys can either directly start programs or specify them as dependencies. For instance, to load a DLL file at logon, one could use the RunOnceEx registry key along with a "Depend" key. This is demonstrated by adding a registry entry to execute "C:\temp\evil.dll" during the system start-up:
Startup Path
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell FoldersHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Shortcuts placed in the Startup folder will automatically trigger services or applications to launch during user logon or system reboot. The Startup folder's location is defined in the registry for both the Local Machine and Current User scopes. This means any shortcut added to these specified Startup locations will ensure the linked service or program starts up following the logon or reboot process, making it a straightforward method for scheduling programs to run automatically.
Winlogon Keys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Typically, the Userinit key is set to userinit.exe. However, if this key is modified, the specified executable will also be launched by Winlogon upon user logon. Similarly, the Shell key is intended to point to explorer.exe, which is the default shell for Windows.
Policy Settings
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerHKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Check Run key.
AlternateShell
Changing the Safe Mode Command Prompt
In the Windows Registry under HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot, there's a AlternateShell value set by default to cmd.exe. This means when you choose "Safe Mode with Command Prompt" during startup (by pressing F8), cmd.exe is used. But, it's possible to set up your computer to automatically start in this mode without needing to press F8 and manually select it.
Steps to create a boot option for automatically starting in "Safe Mode with Command Prompt":
Change attributes of the
boot.inifile to remove read-only, system, and hidden flags:attrib c:\boot.ini -r -s -hOpen
boot.inifor editing.Insert a line like:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /SAFEBOOT:MINIMAL(ALTERNATESHELL)Save changes to
boot.ini.Reapply the original file attributes:
attrib c:\boot.ini +r +s +h
Exploit 1: Changing the AlternateShell registry key allows for custom command shell setup, potentially for unauthorized access.
Exploit 2 (PATH Write Permissions): Having write permissions to any part of the system PATH variable, especially before
C:\Windows\system32, lets you execute a customcmd.exe, which could be a backdoor if the system is started in Safe Mode.Exploit 3 (PATH and boot.ini Write Permissions): Writing access to
boot.inienables automatic Safe Mode startup, facilitating unauthorized access on the next reboot.
To check the current AlternateShell setting, use these commands:
Installed Component
Active Setup is a feature in Windows that initiates before the desktop environment is fully loaded. It prioritizes the execution of certain commands, which must complete before the user logon proceeds. This process occurs even before other startup entries, such as those in the Run or RunOnce registry sections, are triggered.
Active Setup is managed through the following registry keys:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed ComponentsHKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed ComponentsHKCU\SOFTWARE\Microsoft\Active Setup\Installed ComponentsHKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
Within these keys, various subkeys exist, each corresponding to a specific component. Key values of particular interest include:
IsInstalled:
0indicates the component's command will not execute.1means the command will execute once for each user, which is the default behavior if theIsInstalledvalue is missing.
StubPath: Defines the command to be executed by Active Setup. It can be any valid command line, such as launching
notepad.
Security Insights:
Modifying or writing to a key where
IsInstalledis set to"1"with a specificStubPathcan lead to unauthorized command execution, potentially for privilege escalation.Altering the binary file referenced in any
StubPathvalue could also achieve privilege escalation, given sufficient permissions.
To inspect the StubPath configurations across Active Setup components, these commands can be used:
Browser Helper Objects
Overview of Browser Helper Objects (BHOs)
Browser Helper Objects (BHOs) are DLL modules that add extra features to Microsoft's Internet Explorer. They load into Internet Explorer and Windows Explorer on each start. Yet, their execution can be blocked by setting NoExplorer key to 1, preventing them from loading with Windows Explorer instances.
BHOs are compatible with Windows 10 via Internet Explorer 11 but are not supported in Microsoft Edge, the default browser in newer versions of Windows.
To explore BHOs registered on a system, you can inspect the following registry keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Each BHO is represented by its CLSID in the registry, serving as a unique identifier. Detailed information about each CLSID can be found under HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}.
For querying BHOs in the registry, these commands can be utilized:
Internet Explorer Extensions
HKLM\Software\Microsoft\Internet Explorer\ExtensionsHKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions
Note that the registry will contain 1 new registry per each dll and it will be represented by the CLSID. You can find the CLSID info in HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}
Font Drivers
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font DriversHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers
Open Command
HKLM\SOFTWARE\Classes\htmlfile\shell\open\commandHKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command
Image File Execution Options
SysInternals
Note that all the sites where you can find autoruns are already searched by winpeas.exe. However, for a more comprehensive list of auto-executed file you could use autoruns from systinternals:
More
Find more Autoruns like registries in https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2
References
Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Last updated