Always Install Elevated
Always Install Elevated is a registry / GPO setting that allows non privileged accounts to install Windows Package Installer (MSI) files with SYSTEM permissions. Usually this is used in environments to reduce workload for Helpdesk staff for when users require software to be installed.
Command to query registry keys:
WinPEAS can also be used to show this setting as being enabled.
Exploitation
Metasploit
Metasploit can be used to abuse this privilege.
Manual - msfvenom
msfvenom can be used to create a reverse shell disguised as a MSI file. When the file is executed / installed a reverse shell as SYSTEM will be executed.
Manual install of the MSI file:
Which returns a SYSTEM shell as shown below.
Mitigations
Ensure that the following Group Policy Objects are set to disabled:
Computer Configuration\Administrative Templates\Windows Components\Windows Installer
User Configuration\Administrative Templates\Windows Components\Windows Installer
Last updated