HackTricks
Search…
🤩
Generic Methodologies & Resources
🐧
Linux Hardening
🍏
MacOS Hardening
🪟
Windows Hardening
📱
Mobile Pentesting
👽
Network Services Pentesting
🕸
Pentesting Web
⛈
Cloud Security
😎
Hardware/Physical Access
🦅
Reversing & Exploiting
🔮
Crypto & Stego
🧐
External Platforms Reviews/Writeups
✍
TODO
Privilege Escalation with Autoruns
Support HackTricks and get benefits!
WMIC
Wmic can be used to run programs on startup. See which binaries are programmed to run is startup with:
1
wmic startup get caption,command 2>nul & ^
2
Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
Copied!
Scheduled Tasks
Tasks can be schedules to run with certain frequency. See which binaries are scheduled to run with:
1
schtasks /query /fo TABLE /nh | findstr /v /i "disable deshab"
2
schtasks /query /fo LIST 2>nul | findstr TaskName
3
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
4
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
5
6
#Schtask to give admin access
7
#You can also write that content on a bat file that is being executed by a scheduled task
8
schtasks /Create /RU "SYSTEM" /SC ONLOGON /TN "SchedPE" /TR "cmd /c net localgroup administrators user /add"
Copied!
Folders
All the binaries located in the Startup folders are going to be executed on startup. The common startup folders are the ones listed a continuation, but the startup folder is indicated in the registry. Read this to learn where.
1
dir /b "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul
2
dir /b "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul
3
dir /b "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
4
dir /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
5
Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
6
Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"
Copied!
Registry
Note: The Wow6432Node registry entry indicates that you are running a 64-bit Windows version. The operating system uses this key to display a separate view of HKEY_LOCAL_MACHINE\SOFTWARE for 32-bit applications that run on 64-bit Windows versions.
Runs
Commonly known AutoRun registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceHKCU\Software\Microsoft\Windows\CurrentVersion\RunHKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceHKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunHKCU\Software\Wow6432Npde\Microsoft\Windows\CurrentVersion\RunOnceHKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceHKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
Run and RunOnce registry keys cause programs to run each time that a user logs on. The data value for a key is a command line no longer than 260 characters.
Service runs (can control automatic startup of services during boot):
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceHKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceHKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesHKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnceHKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnceHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesHKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices
RunOnceEx:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceExHKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx
It's not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"Exploit 1: If you can write inside any of the mentioned registry inside HKLM you can escalate privileges when a different user logs in.
Exploit 2: If you can overwrite any of the binaries indicated on any of the registry inside HKLM you can modify that binary with a backdoor when a different user logs in and escalate privileges.
1
#CMD
2
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
3
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
4
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
5
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
6
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
7
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
8
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
9
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
10
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
11
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce
12
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunE
13
14
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
15
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
16
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
17
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
18
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
19
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
20
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices
21
reg query HKCU\Software\Wow5432Node\Microsoft\Windows\CurrentVersion\RunServices
22
23
reg query HKLM\Software\Microsoft\Windows\RunOnceEx
24
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\RunOnceEx
25
reg query HKCU\Software\Microsoft\Windows\RunOnceEx
26
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\RunOnceEx
27
28
#PowerShell
29
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
30
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce'
31
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run'
32
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce'
33
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Run'
34
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce'
35
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run'
36
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce'
37
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run'
38
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce'
39
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunE'
40
41
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
42
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
43
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices'
44
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices'
45
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce'
46
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce'
47
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices'
48
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices'
49
50
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\RunOnceEx'
51
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\RunOnceEx'
52
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\RunOnceEx'
53
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\RunOnceEx'
Copied!
Startup Path
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell FoldersHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Any shortcut created to the location pointed by subkey Startup will launch the service during logon/reboot. Start up location is specified both at Local Machine and Current User.
If you can overwrite any [User] Shell Folder under HKLM, you will e able to point it to a folder controlled by you and place a backdoor that will be executed anytime a user logs in the system escalating privileges.
1
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup"
2
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Startup"
3
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Startup"
4
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup"
5
6
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name "Common Startup"
7
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name "Common Startup"
8
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name "Common Startup"
9
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name "Common Startup"
Copied!
Winlogon Keys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonUsually, Userinit key points to userinit.exe but if this key can be altered, then that exe will also launch by Winlogon.
Shell key should point to explorer.exe.
1
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
2
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
3
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "Userinit"
4
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "Shell"
Copied!
If you can overwrite the registry value or the binary you will be able to escalate privileges.
Policy Settings
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerHKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Check Run key.
1
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Run"
2
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Run"
3
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name "Run"
4
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name "Run"
Copied!
AlternateShell
Path:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBootUnder the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot is the value AlternateShell, which by default is set to cmd.exe (the command prompt). When you press F8 during startup and select "Safe Mode with Command Prompt," the system uses this alternate shell.
You can, however, create a boot option so that you don't have to press F8, then select "Safe Mode with Command Prompt."- 1.Edit the boot.ini (c:\boot.ini) file attributes to make the file nonread-only, nonsystem, and nonhidden (attrib c:\boot.ini -r -s -h).
- 2.Open boot.ini.
- 3.Add a line similar to the following:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /SAFEBOOT:MINIMAL(ALTERNATESHELL) - 4.Save the file.
- 5.Reapply the correct permissions (attrib c:\boot.ini +r +s +h).
Exploit 1: If you can modify this registry key you can point your backdoor
Exploit 2 (PATH write permissions): If you have write permission on any folder of the system PATH before C:\Windows\system32 (or if you can change it) you can create a cmd.exe file and if someone initiates the machine in Safe Mode your backdoor will be executed.
Exploit 3 (PATH write permissions and boot.ini write permissions): If you can write boot.ini, you can automate the startup in safe mode for the next reboot.
1
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /v AlternateShell
2
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot' -Name 'AlternateShell'
Copied!
Installed Component
HKLM\SOFTWARE\Microsoft\Active Setup\Installed ComponentsHKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed ComponentsHKCU\SOFTWARE\Microsoft\Active Setup\Installed ComponentsHKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
Active Setup runs before the Desktop appears. Commands started by Active Setup run synchronously, blocking the logon while they are executing. Active Setup is executed before any Run or RunOnce registry entries are evaluated.
Inside those keys you will find more keys and each for those will home some interesting key-values. The most interesting ones are:
- IsInstalled:
- 0: The component’s command will not run.
- 1: The component’s command will be run once per user. This is the default (if the IsInstalled value does not exist).
- StubPath
- Format: Any valid command line, e.g. “notepad”
- This is the command that is executed if Active Setup determines this component needs to run during logon.
If you could write/overwrite on any Key with IsInstalled == "1" the key StubPath, you could point it to a backdoor and escalate privileges. Also, if you could overwrite any binary pointed by any StubPath key you could be able to escalate privileges.
1
reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /s /v StubPath
2
reg query "HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components" /s /v StubPath
3
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" /s /v StubPath
4
reg query "HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" /s /v StubPath
Copied!
Browser Helper Objects
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
A Browser Helper Object (BHO) is a DLL module designed as a plugin for Microsoft's Internet Explorer web browser to provide added functionality. These modules are executed for each new instance of Internet Explorer and for each new instance of Windows Explorer. However, a BHO can be prevented to be executed by each instance of Explorer setting the key NoExplorer to 1.
BHOs are still supported as of Windows 10, through Internet Explorer 11, while BHOs are not supported in the default web browser Microsoft Edge.
1
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s
2
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s
Copied!
Note that the registry will contain 1 new registry per each dll and it will be represented by the CLSID. You can find the CLSID info in
HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}Internet Explorer Extensions
HKLM\Software\Microsoft\Internet Explorer\ExtensionsHKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions
Note that the registry will contain 1 new registry per each dll and it will be represented by the CLSID. You can find the CLSID info in
HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}Font Drivers
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font DriversHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers
1
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers"
2
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers"
3
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers'
4
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers'
Copied!
Open Command
HKLM\SOFTWARE\Classes\htmlfile\shell\open\commandHKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command
1
reg query "HKLM\SOFTWARE\Classes\htmlfile\shell\open\command" /v ""
2
reg query "HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command" /v ""
3
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Classes\htmlfile\shell\open\command' -Name ""
4
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command' -Name ""
Copied!
Image File Execution Options
1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
2
HKLM\Software\Microsoft\Wow6432Node\Windows NT\CurrentVersion\Image File Execution Options
Copied!
SysInternals
Note that all the sites where you can find autoruns are already searched by winpeas.exe. However, for a more comprehensive list of auto-executed file you could use autoruns from systinternals:
1
autorunsc.exe -m -nobanner -a * -ct /accepteula
Copied!
More
Find more Autoruns like registries in https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2
References
Support HackTricks and get benefits!
Last modified 19d ago