hacktricks/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md

353 lines
23 KiB
Markdown
Raw Normal View History

# Privilege Escalation with Autoruns
2022-04-28 16:01:33 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
<details>
2022-04-28 16:01:33 +00:00
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
{% endhint %}
2022-04-28 16:01:33 +00:00
<figure><img src="../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
2022-05-24 00:07:19 +00:00
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
2022-04-28 16:01:33 +00:00
{% embed url="https://go.intigriti.com/hacktricks" %}
2022-05-24 00:07:19 +00:00
## WMIC
2020-08-05 22:33:19 +00:00
**Wmic** 可以用来在 **启动时** 运行程序。查看哪些二进制文件被编程为在启动时运行:
2020-08-05 22:33:19 +00:00
```bash
wmic startup get caption,command 2>nul & ^
Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
```
## 定时任务
2020-08-05 22:33:19 +00:00
**任务**可以按**特定频率**安排运行。查看哪些二进制文件被安排运行:
2020-08-05 22:33:19 +00:00
```bash
schtasks /query /fo TABLE /nh | findstr /v /i "disable deshab"
2020-08-17 14:38:36 +00:00
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
2020-10-22 16:22:49 +00:00
#Schtask to give admin access
#You can also write that content on a bat file that is being executed by a scheduled task
schtasks /Create /RU "SYSTEM" /SC ONLOGON /TN "SchedPE" /TR "cmd /c net localgroup administrators user /add"
2020-08-05 22:33:19 +00:00
```
## Folders
2020-08-05 22:33:19 +00:00
所有位于 **启动文件夹** 的二进制文件将在启动时执行。常见的启动文件夹如下所示,但启动文件夹在注册表中指示。[阅读此以了解位置。](privilege-escalation-with-autorun-binaries.md#startup-path)
2020-08-05 22:33:19 +00:00
```bash
dir /b "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul
dir /b "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul
dir /b "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
dir /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"
```
2023-08-03 19:12:22 +00:00
## 注册表
2020-08-05 22:33:19 +00:00
2020-08-05 16:26:55 +00:00
{% hint style="info" %}
[此处的说明](https://answers.microsoft.com/en-us/windows/forum/all/delete-registry-key/d425ae37-9dcc-4867-b49c-723dcd15147f): **Wow6432Node** 注册表项表示您正在运行 64 位 Windows 版本。操作系统使用此键为在 64 位 Windows 版本上运行的 32 位应用程序显示 HKEY\_LOCAL\_MACHINE\SOFTWARE 的单独视图。
2020-08-05 16:26:55 +00:00
{% endhint %}
2020-08-04 22:50:29 +00:00
2023-08-03 19:12:22 +00:00
### 运行
2020-08-04 22:50:29 +00:00
**常见的** AutoRun 注册表:
2020-08-05 16:26:55 +00:00
2020-08-04 22:50:29 +00:00
* `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run`
* `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run`
* `HKCU\Software\Wow6432Npde\Microsoft\Windows\CurrentVersion\RunOnce`
2020-08-05 21:47:51 +00:00
* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce`
* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx`
2020-08-04 22:50:29 +00:00
被称为 **Run****RunOnce** 的注册表键旨在每次用户登录系统时自动执行程序。分配给键的数据值的命令行限制为 260 个字符或更少。
2020-08-04 22:50:29 +00:00
**服务运行**(可以控制启动时服务的自动启动):
2020-08-05 16:26:55 +00:00
2022-05-24 00:07:19 +00:00
* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce`
* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices`
2020-08-05 16:26:55 +00:00
* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices`
2022-05-24 00:07:19 +00:00
* `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce`
* `HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce`
* `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices`
2020-08-05 16:26:55 +00:00
* `HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices`
**RunOnceEx:**
* `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx`
* `HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx`
在 Windows Vista 及更高版本中,**Run** 和 **RunOnce** 注册表键不会自动生成。这些键中的条目可以直接启动程序或将其指定为依赖项。例如,要在登录时加载 DLL 文件,可以使用 **RunOnceEx** 注册表键以及一个 "Depend" 键。这通过添加一个注册表项来演示,在系统启动时执行 "C:\temp\evil.dll"
```
reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d "C:\\temp\\evil.dll"
```
2020-08-04 22:50:29 +00:00
{% hint style="info" %}
**Exploit 1**: 如果您可以在 **HKLM** 中的任何提到的注册表项内写入,您可以在不同用户登录时提升权限。
2020-08-04 22:50:29 +00:00
{% endhint %}
{% hint style="info" %}
**Exploit 2**: 如果您可以覆盖 **HKLM** 中任何注册表项上指示的任何二进制文件,您可以在不同用户登录时用后门修改该二进制文件并提升权限。
2020-08-04 22:50:29 +00:00
{% endhint %}
```bash
2020-08-05 16:26:55 +00:00
#CMD
2020-08-04 22:50:29 +00:00
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
2020-08-05 16:26:55 +00:00
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
2020-08-04 22:50:29 +00:00
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
2020-08-05 16:26:55 +00:00
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
2020-08-05 21:47:51 +00:00
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunE
2020-08-05 16:26:55 +00:00
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Wow5432Node\Microsoft\Windows\CurrentVersion\RunServices
reg query HKLM\Software\Microsoft\Windows\RunOnceEx
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\RunOnceEx
reg query HKCU\Software\Microsoft\Windows\RunOnceEx
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\RunOnceEx
#PowerShell
2020-08-04 22:50:29 +00:00
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce'
2020-08-05 16:26:55 +00:00
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce'
2020-08-04 22:50:29 +00:00
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce'
2020-08-05 16:26:55 +00:00
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce'
2020-08-05 21:47:51 +00:00
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunE'
2020-08-05 16:26:55 +00:00
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\RunOnceEx'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\RunOnceEx'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\RunOnceEx'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\RunOnceEx'
2020-08-04 22:50:29 +00:00
```
2023-08-03 19:12:22 +00:00
### 启动路径
2020-08-04 22:50:29 +00:00
2020-08-05 16:26:55 +00:00
* `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders`
* `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders`
* `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders`
2020-08-04 22:50:29 +00:00
放置在**启动**文件夹中的快捷方式将在用户登录或系统重启时自动触发服务或应用程序启动。**启动**文件夹的位置在注册表中为**本地计算机**和**当前用户**范围定义。这意味着添加到这些指定**启动**位置的任何快捷方式都将确保链接的服务或程序在登录或重启过程后启动,使其成为安排程序自动运行的简单方法。
2020-08-05 16:26:55 +00:00
{% hint style="info" %}
如果您可以覆盖**HKLM**下的任何\[用户] Shell Folder您将能够将其指向您控制的文件夹并放置一个后门该后门将在用户登录系统时执行从而提升权限。
2020-08-05 16:26:55 +00:00
{% endhint %}
2020-08-04 22:50:29 +00:00
```bash
2020-08-05 16:26:55 +00:00
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Startup"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Startup"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup"
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name "Common Startup"
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name "Common Startup"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name "Common Startup"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name "Common Startup"
```
### Winlogon 键
2020-08-05 16:26:55 +00:00
`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`
通常,**Userinit** 键设置为 **userinit.exe**。然而,如果此键被修改,指定的可执行文件将在用户登录时由 **Winlogon** 启动。同样,**Shell** 键旨在指向 **explorer.exe**,这是 Windows 的默认外壳。
2020-08-05 16:26:55 +00:00
```bash
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "Userinit"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "Shell"
```
{% hint style="info" %}
如果您可以覆盖注册表值或二进制文件,您将能够提升权限。
2020-08-05 16:26:55 +00:00
{% endhint %}
2023-08-03 19:12:22 +00:00
### 策略设置
2020-08-05 16:26:55 +00:00
2022-05-24 00:07:19 +00:00
* `HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer`
2020-08-05 16:26:55 +00:00
* `HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer`
2023-08-03 19:12:22 +00:00
检查 **Run** 键。
2020-08-05 16:26:55 +00:00
```bash
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Run"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Run"
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name "Run"
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name "Run"
2020-08-04 22:50:29 +00:00
```
2022-05-24 00:07:19 +00:00
### AlternateShell
2020-08-04 22:50:29 +00:00
### 更改安全模式命令提示符
2020-08-04 22:50:29 +00:00
在 Windows 注册表的 `HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot` 下,有一个默认设置为 `cmd.exe`**`AlternateShell`** 值。这意味着当你在启动时选择“带命令提示符的安全模式”(通过按 F8将使用 `cmd.exe`。但是,可以设置计算机在不需要按 F8 和手动选择的情况下自动以此模式启动。
2020-08-04 22:50:29 +00:00
创建自动在“带命令提示符的安全模式”中启动的启动选项的步骤:
2020-08-04 22:50:29 +00:00
1. 更改 `boot.ini` 文件的属性以移除只读、系统和隐藏标志:`attrib c:\boot.ini -r -s -h`
2. 打开 `boot.ini` 进行编辑。
3. 插入一行,如:`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /SAFEBOOT:MINIMAL(ALTERNATESHELL)`
4. 保存对 `boot.ini` 的更改。
5. 重新应用原始文件属性:`attrib c:\boot.ini +r +s +h`
2020-08-04 22:50:29 +00:00
* **Exploit 1:** 更改 **AlternateShell** 注册表键允许自定义命令 shell 设置,可能用于未经授权的访问。
* **Exploit 2 (PATH 写权限):** 对系统 **PATH** 变量的任何部分具有写权限,特别是在 `C:\Windows\system32` 之前,可以执行自定义的 `cmd.exe`,如果系统在安全模式下启动,这可能是一个后门。
* **Exploit 3 (PATH 和 boot.ini 写权限):** 对 `boot.ini` 的写访问使得自动安全模式启动成为可能,从而在下次重启时促进未经授权的访问。
2020-08-04 22:50:29 +00:00
要检查当前的 **AlternateShell** 设置,请使用以下命令:
2020-08-04 22:50:29 +00:00
```bash
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /v AlternateShell
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot' -Name 'AlternateShell'
```
2023-08-03 19:12:22 +00:00
### 已安装组件
2020-08-05 16:26:55 +00:00
Active Setup 是 Windows 中的一个功能,它**在桌面环境完全加载之前启动**。它优先执行某些命令,这些命令必须在用户登录之前完成。此过程甚至在其他启动项(例如 Run 或 RunOnce 注册表部分中的项)被触发之前发生。
2020-08-05 16:26:55 +00:00
Active Setup 通过以下注册表键进行管理:
2020-08-05 16:26:55 +00:00
* `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components`
* `HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components`
* `HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components`
* `HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components`
2020-08-05 16:26:55 +00:00
在这些键中,存在多个子键,每个子键对应一个特定组件。特别关注的键值包括:
2020-08-05 16:26:55 +00:00
* **IsInstalled:**
* `0` 表示该组件的命令将不会执行。
* `1` 表示命令将为每个用户执行一次,如果缺少 `IsInstalled` 值,则这是默认行为。
* **StubPath:** 定义 Active Setup 要执行的命令。它可以是任何有效的命令行,例如启动 `notepad`
**安全洞察:**
* 修改或写入 **`IsInstalled`** 设置为 `"1"` 的键,并指定 **`StubPath`** 可能导致未经授权的命令执行,从而可能实现权限提升。
* 更改任何 **`StubPath`** 值中引用的二进制文件也可能实现权限提升,前提是具有足够的权限。
要检查 Active Setup 组件中的 **`StubPath`** 配置,可以使用以下命令:
2020-08-05 16:26:55 +00:00
```bash
reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /s /v StubPath
reg query "HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components" /s /v StubPath
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" /s /v StubPath
reg query "HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" /s /v StubPath
2020-08-05 16:26:55 +00:00
```
### Browser Helper Objects
### Overview of Browser Helper Objects (BHOs)
Browser Helper Objects (BHOs) 是 DLL 模块,旨在为 Microsoft 的 Internet Explorer 添加额外功能。它们在每次启动时加载到 Internet Explorer 和 Windows Explorer 中。然而,通过将 **NoExplorer** 键设置为 1可以阻止它们的执行从而防止它们与 Windows Explorer 实例一起加载。
BHOs 通过 Internet Explorer 11 与 Windows 10 兼容,但在 Microsoft Edge新版本 Windows 的默认浏览器)中不受支持。
要探索系统上注册的 BHOs可以检查以下注册表键
2020-08-05 16:26:55 +00:00
* `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects`
* `HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects`
2020-08-05 16:26:55 +00:00
每个 BHO 在注册表中由其 **CLSID** 表示,作为唯一标识符。有关每个 CLSID 的详细信息可以在 `HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}` 下找到。
2020-08-05 16:26:55 +00:00
要在注册表中查询 BHOs可以使用以下命令
2020-08-05 21:47:51 +00:00
```bash
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s
2020-08-05 21:47:51 +00:00
```
### Internet Explorer 扩展
2020-08-05 21:47:51 +00:00
* `HKLM\Software\Microsoft\Internet Explorer\Extensions`
* `HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions`
注意,注册表将为每个 dll 包含 1 个新的注册表项,并由 **CLSID** 表示。您可以在 `HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}` 中找到 CLSID 信息。
2020-08-05 21:47:51 +00:00
### 字体驱动程序
2020-08-05 21:47:51 +00:00
* `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers`
* `HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers`
```bash
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers"
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers'
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers'
```
2023-08-03 19:12:22 +00:00
### 打开命令
2020-08-05 21:47:51 +00:00
* `HKLM\SOFTWARE\Classes\htmlfile\shell\open\command`
* `HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command`
```bash
reg query "HKLM\SOFTWARE\Classes\htmlfile\shell\open\command" /v ""
reg query "HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command" /v ""
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Classes\htmlfile\shell\open\command' -Name ""
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command' -Name ""
```
2023-08-03 19:12:22 +00:00
### 图像文件执行选项
2022-05-24 00:07:19 +00:00
```
2021-09-06 22:26:52 +00:00
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\Software\Microsoft\Wow6432Node\Windows NT\CurrentVersion\Image File Execution Options
```
2022-05-24 00:07:19 +00:00
## SysInternals
2020-08-05 22:33:19 +00:00
请注意,您可以找到 autoruns 的所有站点 **已经被**[ **winpeas.exe**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe) **搜索过**。然而,对于 **更全面的自动执行** 文件列表,您可以使用来自 Sysinternals 的 [autoruns](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns)
2022-05-24 00:07:19 +00:00
```
2020-08-05 22:33:19 +00:00
autorunsc.exe -m -nobanner -a * -ct /accepteula
```
2023-08-03 19:12:22 +00:00
## 更多
2020-08-05 22:33:19 +00:00
**在** [**https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2**](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2) **中查找更多类似的自动运行注册表。**
2020-08-05 16:26:55 +00:00
## 参考文献
2020-08-05 16:26:55 +00:00
2022-05-24 00:07:19 +00:00
* [https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/#gref](https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/#gref)
2020-08-05 16:26:55 +00:00
* [https://attack.mitre.org/techniques/T1547/001/](https://attack.mitre.org/techniques/T1547/001/)
* [https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2)
* [https://www.itprotoday.com/cloud-computing/how-can-i-add-boot-option-starts-alternate-shell](https://www.itprotoday.com/cloud-computing/how-can-i-add-boot-option-starts-alternate-shell)
2022-05-24 00:07:19 +00:00
<figure><img src="../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
2020-08-05 16:26:55 +00:00
**漏洞赏金提示****注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达**$100,000**的赏金!
2022-04-28 16:01:33 +00:00
{% embed url="https://go.intigriti.com/hacktricks" %}
2022-04-28 16:01:33 +00:00
{% hint style="success" %}
学习与实践 AWS 黑客攻击:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
学习与实践 GCP 黑客攻击:<img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks 培训 GCP 红队专家 (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
<details>
<summary>支持 HackTricks</summary>
2022-04-28 16:01:33 +00:00
* 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或 **在 Twitter 上关注** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库提交 PR 来分享黑客技巧。
2022-04-28 16:01:33 +00:00
</details>
{% endhint %}