![]() The objective for us as an attacker is to use this tool to find any outliers. Additionally, with autoruns.exe we can get insight into Scheduled Tasks, Services, WinLogon, DLLs, and lots more! For our needs, we can filter down to just ‘Logon’, which would be any programs that run from the autorun registry keys or folder. All of the filters are available as tabs on top of the output. This tool gives us insight into A LOT of configurations on the system. Now the Autoruns tool should be running and look like this: Perfect! now that we have our arch, lets use the browser on the victim to navigate to our attacker machine’s HTTP server and download a copy of Autoruns64.exe.Īfter downloading the file, head to the Downloads folder and then double-click it to fire it up. Here we can see that the victim is running a Windows 10 Pro machine – Build 17134 (version 1803) with an 64-bit operating system. systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Hotfix(s)" So, before we download this onto the victim, we should check to see what OS they are running as well as the architecture. This is because it has a 32-bit and 64-bit executable. In this example, we used xfreerdp to obtain an RDP session as the user meisenhardt.įrom a GUI session on the victim, the best way that we can enumerate startup registry keys is by using the Autoruns.exe tool from the Sysinternals Suite of Tools.Īfter downloading the Sysinternals tools, we can setup an HTTP server on our attacker machine from the Sysinterals directory, like so: python3 -m rver 80įrom the snip above, we can see that Sysinternals ships with two versions of this tool. If we have found ourselves in a position where we have enumerated a set of users credentials somehow and that user has access to RDP, then we have the ability to use some nice UI tools for easy visualization. Startup Registry Keys Enumeration: Autoruns.exe (GUI) The Run key makes the program run every time a user logs on, while the RunOnce key makes the program run one time, and then the key is deleted. The Run and RunOnce registry keys are used to make a program run when a user logs on. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx. ![]()
0 Comments
Leave a Reply. |