Skip to content
This repository has been archived by the owner on Dec 6, 2023. It is now read-only.

Module to check for AlwaysInstallElevated #646

Merged
merged 2 commits into from
Oct 13, 2022
Merged

Module to check for AlwaysInstallElevated #646

merged 2 commits into from
Oct 13, 2022

Conversation

bogey3
Copy link
Contributor

@bogey3 bogey3 commented Oct 7, 2022
edited
Loading

This module will check if the computer and the supplied user have AlwaysInstallElevated enabled.

Output will appear as follows:
Enabled

$ poetry run crackmapexec smb 192.168.1.178  -u User1 -p ********** -M install_elevated
SMB         192.168.1.178   445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:domain.local) (signing:True) (SMBv1:False)
SMB         192.168.1.178   445    DC01             [+] domain.local\User1:********  (Pwn3d!)
INSTALL... 192.168.1.178   445    DC01             AlwaysInstallElevated Status: 1 (Enabled)

Enabled in HKLM only

$ poetry run crackmapexec smb 192.168.1.178  -u User1 -p ********** -M install_elevated
SMB         192.168.1.178   445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:domain.local) (signing:True) (SMBv1:False)
SMB         192.168.1.178   445    DC01             [+] domain.local\User1:******** (Pwn3d!)
INSTALL... 192.168.1.178   445    DC01             AlwaysInstallElevated Status: 1 (Enabled: Computer Only)

Disabled

$ poetry run crackmapexec smb 192.168.1.178  -u User1 -p ********** -M install_elevated
SMB         192.168.1.178   445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:domain.local) (signing:True) (SMBv1:False)
SMB         192.168.1.178   445    DC01             [+] domain.local\User1:********  (Pwn3d!)
INSTALL... 192.168.1.178   445    DC01             AlwaysInstallElevated Status: 0 (Disabled)

@bogey3
Created install_elevated.py
8d92e34 
This module will check if the computer and the supplied user have AlwaysInstallElevated enabled.
@bogey3
Update install_elevated.py
1629029 
Updated to display enabled when only the entry in HKLM is enabled as low privilege users can modify the HKCU and grant themselves permission.

Note that once the per-machine policy for AlwaysInstallElevated is enabled, any user can set their per-user setting.
https://learn.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated
@bogey3 bogey3 changed the title Created install_elevated.py Module to check for AlwaysInstallElevated Oct 8, 2022
@mpgn mpgn added dank module all good tested in my lab labels Oct 8, 2022
@mpgn mpgn merged commit ff758fd into byt3bl33d3r:master Oct 13, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
all good tested in my lab dank module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bogey3 @mpgn