Skip to content
attack.paths
Anmelden
← RegistryDossier · 5 steps · 4 edges

AlwaysInstallElevated → SYSTEM via MSI

Both HKCU and HKLM AlwaysInstallElevated policies set to 1 — any user-installed MSI runs as SYSTEM. Drop a malicious MSI and install it.

Filed by AD Knowledge Base
§ Kill-chainDrag · zoom · scroll

§ Context

Assumed environment: foothold as a standard user on a Windows host where group policy or local misconfig has set both AlwaysInstallElevated keys.

§ Steps

  1. 01
    Low-priv user shellInitial Access
    T1078Valid Accounts
  2. 02
    SYSTEM shellExecution
    T1059Command and Scripting Interpreter
  3. 03
    Build SYSTEM-spawning MSI (msfvenom)Execution
    T1059Command and Scripting Interpreter
  4. 04
    Confirm both HKCU + HKLM keysDiscovery
    T1518Software Discovery
  5. 05
    msiexec /quiet /qn /i evil.msiPrivilege Escalation
    W-ALWAYS-ELEVATEAlwaysInstallElevated

§ References

§ Frequently asked

What is the "AlwaysInstallElevated → SYSTEM via MSI" attack path?
Both HKCU and HKLM AlwaysInstallElevated policies set to 1 — any user-installed MSI runs as SYSTEM. Drop a malicious MSI and install it. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?
The first step is Low-priv user shell (T1078) — a initial access primitive. Assumed environment: foothold as a standard user on a Windows host where group policy or local misconfig has set both AlwaysInstallElevated keys.
What is the final impact of this kill-chain?
The final step lands on msiexec /quiet /qn /i evil.msi (W-ALWAYS-ELEVATE), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?
Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers