Introduction

AutoRun application are programmes which have been set up to automatically execute when a user logs in for the first time after booting the system. This is typically done so that the application can look for updates and update itself if necessary. For example, Steam, Spotify, and Discord, all set this up upon installation.

On its own, this does not pose a security risk. Where the real vulnerabilities lies is within AutoRuns which are writable by anyone.

AutoRuns can be enumerated by querying the registry:

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Now all we need to do is generate the malicious executable and replace the AutoRun programme with it. Note that in order for the exploit to work, an administrator would need to log in.

Now, as soon as the administrator logs in, we will get an elevated shell.