search

AlwaysInstallElevated

hashtag
Overview

AlwaysInstallElevated is a misconfiguration that installs all msi packages as system. Wheels spinning?

hashtag
Elevation via AlwaysInstallElevated

Query the registry for the misconfiguration

reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
The machine is vulnerable if both values are set to 1

Create a malicious msi file

Pop a shell

hashtag
Quick Win

You can get a quick win by using the Write-UserAddMSI function from PowerUp.

This function will add a backdoor user to the Local Administrators Group

circle-info

An RDP sessions is required for this

PreviousAutoRunsNextRegsvc ACL

Last updated