Privilege Escalation with Autoruns

Reading time: 16 minutes

WMIC

Wmic inaweza kutumika kuendesha programu kwenye kuanzisha. Angalia ni binaries gani zimepangwa kuendesha kwenye kuanzisha kwa:

wmic startup get caption,command 2>nul & ^
Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl

Scheduled Tasks

Tasks zinaweza kuandaliwa kuendesha kwa mara fulani. Angalia ni binaries gani zimeandaliwa kuendesha na:

schtasks /query /fo TABLE /nh | findstr /v /i "disable deshab"
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

#Schtask to give admin access
#You can also write that content on a bat file that is being executed by a scheduled task
schtasks /Create /RU "SYSTEM" /SC ONLOGON /TN "SchedPE" /TR "cmd /c net localgroup administrators user /add"

Folders

All the binaries located in the Startup folders are going to be executed on startup. The common startup folders are the ones listed a continuation, but the startup folder is indicated in the registry. Soma hii kujifunza wapi.

dir /b "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul
dir /b "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul
dir /b "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
dir /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"

FYI: Utoaji wa archive path traversal vulnerabilities (kama ile inayotumiwa katika WinRAR kabla ya 7.13 – CVE-2025-8088) inaweza kutumika ku weka payloads moja kwa moja ndani ya folda hizi za Startup wakati wa kufungua, na kusababisha utekelezaji wa msimbo wakati wa kuingia kwa mtumiaji. Kwa maelezo zaidi kuhusu mbinu hii angalia:

Archive Extraction Path Traversal

Registry

Runs

Inajulikana kwa kawaida AutoRun registry:

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
• HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Wow6432Npde\Microsoft\Windows\CurrentVersion\RunOnce
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx

Funguo za registry zinazojulikana kama Run na RunOnce zimeundwa ili kutekeleza programu kiotomatiki kila wakati mtumiaji anapoingia kwenye mfumo. Mstari wa amri uliotolewa kama thamani ya data ya funguo umewekwa mipaka ya herufi 260 au chini.

Huduma inazoendesha (zinaweza kudhibiti kuanzishwa kiotomatiki kwa huduma wakati wa boot):

• HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
• HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
• HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
• HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices
• HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices

RunOnceEx:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
• HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx

Katika Windows Vista na toleo la baadaye, funguo za Run na RunOnce hazizalishwi kiotomatiki. Kuingizwa katika funguo hizi kunaweza kuanzisha moja kwa moja programu au kuziweka kama utegemezi. Kwa mfano, ili kupakia faili ya DLL wakati wa kuingia, mtu anaweza kutumia funguo ya registry ya RunOnceEx pamoja na funguo ya "Depend". Hii inaonyeshwa kwa kuongeza kuingizwa kwa registry ili kutekeleza "C:\temp\evil.dll" wakati wa kuanzishwa kwa mfumo:

reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d "C:\\temp\\evil.dll"

#CMD
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunE

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Wow5432Node\Microsoft\Windows\CurrentVersion\RunServices

reg query HKLM\Software\Microsoft\Windows\RunOnceEx
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\RunOnceEx
reg query HKCU\Software\Microsoft\Windows\RunOnceEx
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\RunOnceEx

#PowerShell
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunE'

Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices'

Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\RunOnceEx'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\RunOnceEx'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\RunOnceEx'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\RunOnceEx'

Njia ya Kuanzisha

• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Viungo vilivyowekwa katika folda ya Kuanzisha vitasababisha huduma au programu kuanzishwa wakati wa kuingia kwa mtumiaji au upya wa mfumo. Mahali pa folda ya Kuanzisha lin defined katika rejista kwa mipangilio ya Mashine ya Mitaa na Mtumiaji wa Sasa. Hii inamaanisha kwamba kiungo chochote kilichoongezwa kwenye maeneo haya maalum ya Kuanzisha kitahakikisha huduma au programu iliyounganishwa inaanza baada ya mchakato wa kuingia au upya, na kufanya kuwa njia rahisi ya kupanga programu kuendesha kiotomatiki.

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Startup"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Startup"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup"

Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name "Common Startup"
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name "Common Startup"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name "Common Startup"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name "Common Startup"

Winlogon Keys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Kawaida, ufunguo wa Userinit umewekwa kwenye userinit.exe. Hata hivyo, ikiwa ufunguo huu umebadilishwa, executable iliyoainishwa pia itazinduliwa na Winlogon wakati wa kuingia kwa mtumiaji. Vivyo hivyo, ufunguo wa Shell unakusudia kuelekeza kwenye explorer.exe, ambayo ni shell ya kawaida kwa Windows.

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "Userinit"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "Shell"

Sera za Mipangilio

• HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Angalia ufunguo wa Run.

reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Run"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Run"
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name "Run"
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name "Run"

AlternateShell

Kubadilisha Amri ya Salama ya Msimbo

Katika Usajili wa Windows chini ya HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot, kuna thamani ya AlternateShell iliyowekwa kwa chaguo-msingi kuwa cmd.exe. Hii inamaanisha unapochagua "Salama Msimbo na Amri" wakati wa kuanzisha (kwa kubonyeza F8), cmd.exe inatumika. Lakini, inawezekana kuandaa kompyuta yako kuanzisha moja kwa moja katika hali hii bila kuhitaji kubonyeza F8 na kuchagua kwa mikono.

Hatua za kuunda chaguo la kuanzisha ili kuanzisha moja kwa moja katika "Salama Msimbo na Amri":

1. Badilisha sifa za faili ya boot.ini kuondoa bendera za kusoma pekee, mfumo, na zilizofichwa: attrib c:\boot.ini -r -s -h
2. Fungua boot.ini kwa ajili ya kuhariri.
3. Ingiza mstari kama: multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /SAFEBOOT:MINIMAL(ALTERNATESHELL)
4. Hifadhi mabadiliko kwenye boot.ini.
5. Rudisha sifa za awali za faili: attrib c:\boot.ini +r +s +h

• Kuvunja 1: Kubadilisha funguo za usajili za AlternateShell kunaruhusu usanidi wa shell ya amri ya kawaida, huenda kwa ufikiaji usioidhinishwa.
• Kuvunja 2 (Ruhusa za Kuandika PATH): Kuwa na ruhusa za kuandika sehemu yoyote ya mfumo wa PATH variable, hasa kabla ya C:\Windows\system32, kunakuwezesha kutekeleza cmd.exe ya kawaida, ambayo inaweza kuwa nyuma ya mlango ikiwa mfumo utaanzishwa katika Hali ya Salama.
• Kuvunja 3 (Ruhusa za Kuandika PATH na boot.ini): Upatikanaji wa kuandika kwenye boot.ini unaruhusu kuanzisha Hali ya Salama kiotomatiki, ikirahisisha ufikiaji usioidhinishwa kwenye kuanzisha kwa pili.

Ili kuangalia mipangilio ya sasa ya AlternateShell, tumia amri hizi:

reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /v AlternateShell
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot' -Name 'AlternateShell'

Installed Component

Active Setup ni kipengele katika Windows ambacho kinanzishwa kabla ya mazingira ya desktop kupakiwa kikamilifu. Kinapa kipaumbele utekelezaji wa amri fulani, ambazo lazima zikamilike kabla ya kuendelea na kuingia kwa mtumiaji. Mchakato huu unafanyika hata kabla ya kuanzishwa kwa entries nyingine za kuanzisha, kama zile katika sehemu za Run au RunOnce za rejista.

Active Setup inasimamiwa kupitia funguo zifuatazo za rejista:

• HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
• HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
• HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
• HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components

Ndani ya funguo hizi, kuna funguo ndogo mbalimbali, kila moja ikihusiana na kipengele maalum. Thamani za funguo ambazo zina umuhimu maalum ni pamoja na:

• IsInstalled:
• 0 inaonyesha amri ya kipengele haitatekelezwa.
• 1 inamaanisha amri itatekelezwa mara moja kwa kila mtumiaji, ambayo ni tabia ya kawaida ikiwa thamani ya IsInstalled haipo.
• StubPath: Inaelezea amri itakayotekelezwa na Active Setup. Inaweza kuwa amri yoyote halali ya mstari, kama kuanzisha notepad.

Mawasiliano ya Usalama:

• Kubadilisha au kuandika kwenye funguo ambapo IsInstalled imewekwa kuwa "1" na StubPath maalum kunaweza kusababisha utekelezaji wa amri zisizoidhinishwa, huenda kwa ajili ya kupandisha hadhi.
• Kubadilisha faili ya binary inayorejelewa katika thamani yoyote ya StubPath pia kunaweza kufanikisha kupandisha hadhi, ikiwa na ruhusa za kutosha.

Ili kukagua mipangilio ya StubPath katika vipengele vya Active Setup, amri hizi zinaweza kutumika:

reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /s /v StubPath
reg query "HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components" /s /v StubPath
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" /s /v StubPath
reg query "HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" /s /v StubPath

Browser Helper Objects

Overview of Browser Helper Objects (BHOs)

Browser Helper Objects (BHOs) ni moduli za DLL ambazo zinaongeza vipengele vya ziada kwa Internet Explorer ya Microsoft. Zinapakia kwenye Internet Explorer na Windows Explorer kila wakati wa kuanzisha. Hata hivyo, utekelezaji wao unaweza kuzuiwa kwa kuweka ufunguo wa NoExplorer kuwa 1, kuzuia kutoka kupakia na matukio ya Windows Explorer.

BHOs zinaendana na Windows 10 kupitia Internet Explorer 11 lakini hazipati msaada katika Microsoft Edge, kivinjari cha chaguo-msingi katika matoleo mapya ya Windows.

Ili kuchunguza BHOs zilizosajiliwa kwenye mfumo, unaweza kukagua funguo zifuatazo za rejista:

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Kila BHO inawakilishwa na CLSID yake katika rejista, ikihudumu kama kitambulisho cha kipekee. Taarifa za kina kuhusu kila CLSID zinaweza kupatikana chini ya HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}.

Ili kuuliza BHOs katika rejista, amri hizi zinaweza kutumika:

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s

Internet Explorer Extensions

• HKLM\Software\Microsoft\Internet Explorer\Extensions
• HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions

Kumbuka kwamba rejista itakuwa na rejista 1 mpya kwa kila dll na itawakilishwa na CLSID. Unaweza kupata taarifa za CLSID katika HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}

Font Drivers

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers
• HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers"
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers'
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers'

Fungua Amri

• HKLM\SOFTWARE\Classes\htmlfile\shell\open\command
• HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command

reg query "HKLM\SOFTWARE\Classes\htmlfile\shell\open\command" /v ""
reg query "HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command" /v ""
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Classes\htmlfile\shell\open\command' -Name ""
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command' -Name ""

Chaguzi za Utekelezaji wa Faili za Picha

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\Software\Microsoft\Wow6432Node\Windows NT\CurrentVersion\Image File Execution Options

SysInternals

Kumbuka kwamba tovuti zote ambapo unaweza kupata autoruns zimeshachunguzwa na winpeas.exe. Hata hivyo, kwa orodha kamili zaidi ya faili zinazotekelezwa kiotomatiki unaweza kutumia autoruns kutoka sysinternals:

autorunsc.exe -m -nobanner -a * -ct /accepteula

More

Pata zaidi ya Autoruns kama vile registries katika https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2

References

• https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/#gref
• https://attack.mitre.org/techniques/T1547/001/
• https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2
• https://www.itprotoday.com/cloud-computing/how-can-i-add-boot-option-starts-alternate-shell