Boot Logon Autostart Execution
The document explores the concept of Boot Logon Autostart Execution in the Windows Startup folder, focusing on potential security risks and exploitation by attackers. It discusses how adding an application to the startup folder or referencing it via a Registry run key can lead to privilege escalation or persistence attacks. When a user logs in, applications linked in the “run keys” or startup folder are executed, inheriting the user’s permissions level.
Two techniques for Logon Autostart Execution are highlighted: Registry Run Keys and Startup Folder. Injecting a malicious program into the startup folder enables it to run upon user login, facilitating persistence or privilege escalation attacks. This method is commonly utilized by advanced persistent threats (APTs) like APT3, APT33, and APT39.
The document provides detailed steps for Privilege Escalation by Abusing the Startup Folder, including enumerating permissions using tools like Icacls and Accesschk.exe. It emphasizes the significance of avoiding misconfigurations in production environments to prevent security vulnerabilities.
Furthermore, the document outlines a lab setup scenario for escalating NT Authority/SYSTEM privileges for a low privileged user by exploiting the Misconfigured Startup folder. It includes prerequisites, tools required, and the objective of the lab setup.
Overall, the document serves as a comprehensive guide to understanding and mitigating the risks associated with unauthorized access and exploitation of the Windows Startup folder for malicious purposes.
Views: 0
