AutoRuns
Windows can be set to run scripts and applications on system boot and on logon of a user.
Above, the binary program.exe
has been located under the specified registry path. Binaries found in this path are executed every time a user logs into the system. [Source]
Running accesschk.exe
against the binary shows that the security group "Everyone" has FILE_ALL_ACCESS permission to the binary.
This means the binary can be overwritten by anyone. In this effect, replacing the binary with a reverse shell of the name program.exe
would mean the next time someone logs in it would be possible to have the shell executed in the context of the logged in user.
Last updated