Penetration Testing: Utilizing registry write access

[natron <natron () invisibledenizen org>]

All,

Does anyone have a favorite location to load code from when granted
remote registry access to a machine?  I've used several different ones
and all have their pros/cons, mostly that they require a user to logon
or can be blocked from running via a policy setting.  I'd love it if
there were a location that the attacker could trigger remotely -- any
ideas?

I tried replacing the screen saver as I remember that used to work
ages ago (this could be triggered if RDP/3389 is open), but this reg
value no longer accepts a cmd.exe value (I couldn't get it to work on
Server 2003 or XP anyway).


Locations requiring triggers outside of attacker's direct control
(restart, user logon, or cmd.exe/explorer.exe execution):

HKLM,HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM,HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM,HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM,HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

HKLM,HKCU\Software\Microsoft\Command Processor\AutoRun
HKLM,HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run


-N

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------