Logon Autostart Execution
The document discusses the exploitation of Registry Run Keys for privilege escalation and persistence attacks. It highlights the significance of Run and RunOnce registry keys in executing programs upon user logins. These keys can be leveraged by attackers to escalate privileges by linking services with the registry, leading to Logon Autostart Execution.
The lab setup outlined in the document involves creating a directory in Program Files, adding an application or service to it, and modifying permissions to allow Full Control for authenticated users. This misconfiguration in the startup folder creates a vulnerability that attackers can exploit.
By enumerating permissions using tools like Winpeas, attackers can identify opportunities to launch malware, such as RAT, for sustaining persistence during system reboots. Creating malicious executables using tools like msfvenom and injecting them into directories with lax permissions enables attackers to achieve persistence or privilege escalation.
The document also provides steps for executing malicious executables by replacing original files, setting up netcat listeners, and transferring files for autostart execution upon system reboot. The attack methodology involves manipulating registry keys and exploiting misconfigured startup folders to gain elevated privileges.
Overall, the document serves as a guide for understanding and exploiting Registry Run Keys for privilege escalation and persistence attacks, emphasizing the importance of securing registry configurations to prevent unauthorized access and malicious activities.
Views: 1
