Logo
RSS Feed

Techniques Overview

Created: 10.05.2023

This is about … .

Autostart

MITRE: https://attack.mitre.org/techniques/T1547/

Some autostart utilities run under elevated privileges. So, it’s pesistence + escalation.

Techniques:

  • Registry Run Keys / Startup Folder
    • Windows
      • the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (default)
      • all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp (default)
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (default)
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce (default)
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (default)
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce (default)
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (when specified in the policy settings)
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (when specified in the policy settings)
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell 
      • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on.
      • multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
      • Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded.
      • Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\. The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.
      • Registry entries in HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon.
        • Winlogon\Notify - points to notification package DLLs that handle Winlogon events
        • Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
        • Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
      • HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages, HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages - load into LSA space, meaning having access to unencrypted password info.
  • Kernel modules and extentions. UNIX

References

Expand…

PEASS

Detect possible PE vectors on a W/L/M machine.

GTFOBins

https://gtfobins.github.io/