Judging by the output from the commands above, it appears that everyone on the system has access to modify program.exe, so this confirms this Autorun program is indeed exploitable.Īutomated enumeration scripts such as WinPEAS can also help identify weak Autorun programs. Icacls or Accesschk can be used to identify the permissions of a specific folder or file: icacls Accesschk.exe -accepteula -wuqv exe file so that it can be replaced with a malicious one. The next steps is to verify whether the current user has write access to the. A comprehensive list of the registry key that could store this information can be found here. The screenshot above shows how the “program.exe” application is stored in the Run registry, and therefore it will be executed when a user logs in, with the level of privilege of that user. The Autorun programs are usually stored in the Run or RunOnce registry keys, the following command can be used too query this key and identify any of them: reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Although this feature can be very handy if startup programs are setup with improper permissions it may allow attackers to escalate privileges, as these programs are executed in the context of the user who is logging in at that point in time. Windows allows users to set specific programs to automatically start whenever the system boots, the list of programs that have this functionality enabled is stored in the Windows Registry.
0 kommentar(er)
