← All talks

New Windows Persistence Techniques in Metasploit

BSides Charm 202652:5110 viewsPublished 2026-06Watch on YouTube ↗
Speakers
Tags
About this talk
A Metasploit committer walks through the July 2025 overhaul of the framework's persistence system, which introduced standardization across platforms and a wave of new Windows techniques. Covers modules abusing BITS post-triggers, PowerShell profiles, telemetry controllers, assistive technologies, Python site-packages, Obsidian and Burp plugins, and WSL-to-Windows pivots — with live demos and guidance for defenders on what to hunt for in logs.
Show original YouTube description
Metasploit has had persistence for a long time, however it's always been lackluster. In July 2025 a complete overhaul of the persistence system began, introducing standardization across all platforms. Since then many new additional techniques have been created, especially on Windows platforms. This talk will discuss the new standardizations and how they effect users, look at the new techniques which have been added, and show how they can be utilized with live demonstrations. Are you a blue teamer? Comes see what the other side is doing and know what to look for in your logs to find these techniques. h00die h00die is currently employed with nDepth Security as a senior penetration tester. Previously he helped start Exploit-DB as one of the original staff moderators for submissions and quality control experts. He is currently one of the few non-Rapid7 employees entrusted with commiter rights for the Metasploit framework, volunteering to create new module, peer review submissions, and keep the framework awesome over the last 10 years. Joel Garcia Husband | Father | U.S. Marine Corps Retired | nDepth Security | Alumnus of Capital Technology University & University of Maryland Global Campus
Show transcript [en]

All right, so let's get this started. Hi everybody. I am a hoodie. Uh, let's start off with the fact that we have some stickers. Uh, Bill put them out up here as bait. Um, I did misspell metas-ploit unintentionally. Good catch. Uh, also I wrote this uh PowerPoint slide deck in Microsoft Office like normal humans do. And then I was like, man, we're going to need to run metas-loit and I don't want to run too many VMs. So, let's do Cali for our main OS. And then, uh, yeah, it made all the fonts, I guess, different or spaced differently. So, I just left it there with my name trailing off to remind everybody that some of the graphics are

going to be off just a little bit. And that uh, Linux still not as good as Windows on PowerPoint. That's it. Everything else it's better, but PowerPoint just still slacking a little. So, uh, slide me. Also, these slides are unnecessarily aggressive. Um, I am not the grim reaper, but, uh, you know, the graphics guys get a little carried away sometimes. So, uh, today we're going to talk about us and more friends. Metas-ploit spelled correctly. I'm one for two on that. Uh, thank you. Issues with persistence. uh that have been in the framework, how we went about fixing it, the new fun awesome stuff. That's totally great. And then we're going to try a demo. But

there's an asterisk next to that that you can't see because I just added in my mind like a few seconds ago. Also, I totally saw the hoodie thing in the uh the prep room and I was like, should I edit this slide and fix it and hope not to destroy every other slide? Nope. We're just going to keep it. Slide me. So, this is me. Uh, not the pitcher, uh, the guy. Uh, I'm a senior penetration tester at Endepth Security. Uh, I got the backpack to prove it. I won that backpack at a raffle over you. Uh, a long time ago in a galaxy far far away, I helped start exploit DB. You guys may have heard of that. Uh, I am a

metas-ploit framework contributor. Um that means that I can commit directly to the framework itself uh without supervisor approval. I am that supervisor. There's about a dozen of us that don't work for Rapid 7. Um I've written about 200 I think it's like 10 modules over the last 10 years. Um which is weird because like you do your first and you're like honey let's go out to dinner like and celebrate. This is amazing. I did a thing and then it's gotten to the point that I read about modules and I'm like, "Oh, that sounds sick. Oh, I wrote that six years ago. I totally forgot at this point in my life." Um, I asked chat [clears throat]

GBT to tell me more about hoodie and it told me that I was at Hoodie Gray. That is not me. So, disregard all Hoodie Gray things. Joel, tell me about yourself. >> I'm not Joel. >> All right, we're at our quota. So, um, my co-presenter Joel He text about 1:30 and he said, "Hey, uh, my wife and daughter are sick and I need to take them to the HR." Can Bill fill in? And Bill loves people and crowds and speaking. So he said, "Absolutely." Or something like that with WTF in all caps. So, uh, you're now Joel for the rest of the talk. [snorts] Cool. So, that's the asterisk next to demos because, uh, Bill has been through this

slide deck one time. And based on timing, it will probably either be one live demo or we can watch three videos of the live demos that I have for backup. And I think you guys would probably see rather see volume other than Bill fumbling on the keyboard. >> Uh some shout outs. Um Diego, he's out in like Cetchia, I believe, him and uh Martin, but they have been helping me out with redoing all the persistence. Um it is a very timeconuming job making things not suck. Uh so shout outs to them for helping everything. And then Spencer because uh he gave the stickers. I was like hey Spencer you lead metas-ploit. I'm going to talk about Metaso. Can I have some

stickers? And he was like yeah sure. So uh thanks to him for those and oh slided me early. God hard help is or good help is hard to find. I tell you what. Uh okay now do it. Oh, spelled metas-ploit right. Two for three. Oh, I forgot the other thing. This talk almost went astray. So, I'll tell you what's inspirational. Did you back away from the mic? I'm No, I brought my good luck hat. Our daughters play for the same uh travel softball team and they are absolutely slaying this year and this is my good luck hat for when they are slaying. So, we're going to go with the good luck hat today. So, what is Metas-Ploit?

I'm going to assume that all of you know what it is already because it's like everywhere. But in case you haven't heard, it's the world's most popular penetration testing framework. It is free and open source. Uh there is a commercial version. Uh it like gives you a guey and like commercial support and some other things that I don't use because I don't have it because it costs money and I don't have money. So uh but it's free and open source. Uh back in 2009, Rapid 7 bought it. And if you were around back then, you were like, "Oh my god, no. A company's buying the thing I love and use all the time." But like

surprisingly, they didn't butcher it. Uh so now they actually have dedicated staff there to help uh make the framework better and spend more time because uh if you're just doing it nights and weekends, it's hard to really contribute um a lot in volume and quality. It is pre-installed in most hacker OSS like Cali, I assume, Parrot, but I've never used it. Um it works on Windows, but I don't know why you would ever. Um, it's mostly written in Ruby. Asterisks, you know, exploits come in all shapes and sizes. So, sometimes there's HTML, Python Java. Uh, assembly for payloads, all those kinds of things. So, like whatever you speak and write in, uh, it probably has

it in there. Go, does Go, too. Um, and pretty much if you've taken a hacker class or assert, you've used it before. Now, slide. Perfect. Dude, I copy and pasted that. So that doesn't count for a three for four. Uh, so the persistence parts, uh, a user by the name Be Coals, no idea what his real name is, no idea where he lives. Um, he kind of outlined all the issues in, uh, in issue in GitHub. Um, but basically he pointed out that everything was awful. The modules were not in a consistent directory. They had instant callbacks. It's like you'd install persistence on a box. Maybe it starts a handler to capture that callback. Maybe it doesn't.

Maybe it gives you instructions to do it. Who knows? Sometimes it would wait an hour. Sometimes it would wait five minutes. Sometimes it would wait all day. Awful. Um, and one of the big things was there's no cleanup. And like it's fun pwning things and stuff, but like someone has to do the cleanup. And it'd be great if that was just automated. You run a script and then you're done instead of like making it up, looking back through your logs, all that nasty stuff. We're going to have lots of memes, by the way. So, I picked some random what is it? Six six Windows modules just as examples. Um, obviously there was tons and this is all pre-redoing of

everything. But we look here and the names just suck. First off, man, is that in white? because it's a purple and it was purple in the room up there. So that's awesome. Um in metas-ploit speak exploits execute um payloads. So anything that's in the exploit folder you should get a call back if you don't screw it up. So with persistence I would think you would always get shells back. Maybe I'm strange, but some are in exploits folder, some are in post. Post meaning I'm on the box already. Um, and I want to do something post getting on it. So, already not looking great. Then we move on to the offset red box where it should

be uh local and manage. Local kind of like post uh means we're already on the box, but we have local access to it. um post um sorry manage is more like we want to manage our uh shells on the box. So maybe we upgrade it or something like that. Um but again not all consistent. Lastly, some say persistence, some say a technique then persistence, some say persistence then technique, some say persist, some don't say anything like sticky keys. So we're just all over the place. And I know that's like the finicky stuff, but like user experience matters. And if I search for persistence, it's going to miss out on like sticky keys and that sucks.

So let's break these uh modules down. Again, that spelling does not count. Uh so the first one, local persistence installs persistence. How does it do that? [sighs] Who know? Are there any little ears in here, by the way? I'm doing really good at not cussing so far and I'd like to keep it that way but just in case. Perfect. All right. So person who the [ __ ] knows what it does. Oh man, the smallest font that ever existed. Uh it installs into the registry in current version run. Remember like there's the first two persistence techniques ever. Uh the startup folder and current version run. Yeah, it does that one. So, okay. Could use a better name, but it does a thing.

Then we look at registry persistence. Guess what that does? The same thing, but it puts the uh payload in the registry, which is a good little hiding technique. So, there's no, you know, file on disk, per se. I I know registry is dis yada yada, but um yeah, it does the same thing essentially. Then we look at persistent service. You guessed right. Creates a service. So then we go on to PS persist. And I know what you're thinking. PS PowerShell Windows. Like makes sense, right? No, not at all. Uh this one creates an exe or a Windows service. Uh and it doesn't use um you would think like a PowerShell type payload or something like that. No,

no, no. It just doesn't use service.exe. It uses the PowerShell services command lit. That's that's the difference. So that's cool. That's not duplicative. And you would totally think that that installs a Windows service. So [sighs and gasps] moving on, persist.exe. I know what you're thinking. Well, the the technique is so obvious. It makes an .exe and does what? Oh, it installs to current version run. Also makes a Windows service. Also can schedule a task. So, it has three techniques built into one that make no sense and you'd never find it because it has that not in the description. So, that's great. And lastly, sticky keys. I know what you're thinking. Replace sticky keys.exe, right? That's like since the dawn of

time. Um, close. It uses the image file execution options to sideloadad itself, which is great and all, but like nowhere does it say persistence. So, like literally when we were looking for all the persistence modules, someone had to mention this one existed cuz we didn't find it. So, we have one module that goes into the registry and a second module that does that and a third module that also does that. And then we have one module that makes a service, but also another one that makes a service, but then a third one that also makes a service. It makes sense, right? There's totally no duplicated code all over the place for this. It It's perfect.

Are you recording me? Damn. Next slide. Here's the other part of this. They're all old. So, I went back and looked at when the modules first really started to exist. And again, this is a subset, but for the most part, it's like the 2015 2016 timeline where someone was like, you know, you get a bug and you're like, "Oh man, I got to do this thing." Someone went through and just like hammered all these out and then like walked away into the sunset because for 10 years, other than like minor things, they were pretty much untouched. Um, I don't know if you guys have noticed, but like Windows has changed in 10 years. like 2015 is what Windows 7

maybe before that 8.1 Vista. So yeah, uh they old. We got to do something about that. Someone's got to go through and really look at them to make sure they still work in current versions. Techniques are still good, yada yada. So [sighs] this graph uh does not show what you think it does, but I included it anyways for fun. Um, I went and searched all pull requests for the word persistence. So, sometimes it's persistence modules, sometimes it's someone saying, "Hey, the Docker install doesn't have a persistent database." But I don't know about you guys, but sitting down and looking through hundreds of pull requests for the word persistence and then matching up to actually be persistent sounds like awful

or work for AI. One of the two. But if we look at pull requests that mention persistence over the years, you can see there's kind of like a steady flow between 2013 and 2020. Um, and then just that huge jump. And that's because we started revamping it uh end of 2024. Really, it got started in 2025. So about a year ago, I went ham and started knocking all this out. Um, but I'll also note that 2016 I had my first Linux persistence module. So, we've been around this block for again like 10 years. So, how can we fix all this nightmare of code? Um, first we got to create the directory for persistence. We got to

figure out if it's modules persistence or modules exploits OS persistence or where the hell this is all going to go. Next thing is we got to set everything to be passive. Like we can't lock up a console because this thing is supposed to be passive. You do a persistence like a schedule task, you schedule it for the next day or something. I can't have my keyboard locked for a day waiting for this call back. Uh so we need it to run in the background and for a long time. We need to start a payload handler. I don't want y'all to have to do that because that's silly. It takes three lines of code to do it. uh we need to

write cleanup scripts so that way again y'all don't have to figure out where we wrote files to go through this manual log that's not consistent. It should just give you a file. You run that file and you're off the box. Boom. Done. Uh and then we need to update all the modules by calling our modern libraries and functions because again things change over 10 years. Uh add in references, make sure they still work on modern oss and create documentation. And I everyone was like yes documentation. and I love it. But here's what happens. I'm sure it happens to all of you. You run this sweet metas-plate module and it doesn't work and you're like, "Well,

that sucks. Why didn't it work?" Documentation shows you why it doesn't work. Um, in it, we include like an example run. So, you can see like this person ran against this OS with this um payload and it worked fine. So, maybe I should go and try that. So, uh yeah, I'm a big stickler on documentation. I'm that guy. Sorry. >> [snorts] >> You're doing great and you're still at your three-word limit. I dude for never seeing the slides until an hour and a half ago. Killing it. So, uh, diving more down into that. I said, we got to find a folder. So, Spencer, the head of Metas-Ploit said, "We're going to go exploit the OS and

then persistence." Sure. You know, we just need a spot. So, that works. Uh Diego, credit to him, made the standardized library that does a lot of the stuff for everybody. Does the persistence, does the payload, I'm sorry, does the passive mode, does the payload handler, and it builds in how to automatically store the cleanup files, alert the user, all that kind of stuff. So, that was a lot of work. I didn't do it. Not taking credit, unless you want me to slide it. I'm going to take a water break. It's not toxic.

All right. So, uh, I went to work and by that I mean I got COVID and had to stay home for five days. And man, when the house is quiet and you're stuck in a room with nothing to do, oh, can you tear through some metas-plate code? So, I wrote about 29 PRs, uh, pull requests for those not familiar with that parlance. Um, updating modules, splitting them apart, yada yada. Um, in the last 10 years, MITER's attack references came out. Um, not only are those amazing for like reports and stuff like that and helping defenders actually identify um the attacks you used with good references, but it's also a great list of like to-do. Like, man, we hit

this and this reference uh attack framework reference, but like uh look at all these other ones that we've never done before. We should totally add those. Uh went through and tested all the modules in modern OSS like Windows 10. Is that even modern still? Um, proved they worked and did the documentation which was fun, but with COVID. Um, so then that's all the kind of like boring behind the-scenes maintenance work that someone's got to do, but like it's not fun and sexy and all that kind of stuff. So then we need to add some new things. Um, as I said, thank you attack framework because it gives me all kinds of new ideas for OS level things.

Um, we also wrote uh app plugins, which you're going to ask me in the hallway and I'm going to be all shy and skittish, so I'm just going to answer it now. I think the future is more app plugins. Um, so every person has their favorite apps, VS Code, Burp, whatever. you know, your job roll has those apps. God forbid any app not have a plug-in framework nowadays. Um, and they are just delicious for writing plugins for because they never have security. Um, and then we need a persistence suggesture because god forbid you actually do get on a Windows box and you're like, "Ah, what persistence technique should I use?" Man, wouldn't it be great if it told you which ones

worked? You didn't have to do all that by hand. Yeah. Love that guy cleaning [laughter] the ocean. Um, so, uh, this was a new technique. Um, I wrote it. It's not that genius, but it wasn't there and it's kind of awesome. I loved it. Um, and basically Windows is WSL for those who don't know. That's Windows Subsystem for Linux. Lets you run Linux on Windows. Um, which is great unless you're using KVM on a capable processor and you set it to nested virtualization and then Windows will not boot anymore. So, we're not going to show that one because god forbid, but uh I went with the easy thing of creating a registry entry, you know, current

version run. Um but that registry entry runs your WSL instance with a Linux payload built into it. So, the fun of we have a Windows module that uses a Linux payload, but also is your Windows AV looking for Linux payloads? I don't know. Some of you probably work for AV companies and you're like, "Yeah, totally." And I'm like, "Oh, cool. Well, I tried." Um, but it's, you know, that kind of reverse logic there. And then really, um, that's going to hit every startup and then from that point, you can install a Linux persistence if you want, but people need to run WSL for that payload to work. So, we just force it to by running it through the

registry. Then I wrote the reverse, which is if you're in WSL, we need to get back to Windows. So have a Linux module that runs a Windows payload. Um, and I went for just, god forbid, [clears throat] the simplest thing right in XE to the startup folder, but we do it through the WSL drive mapping. Um, so yeah, you're probably going to find that you be like, "Ah, I got you. Delete." And then you reboot and it's back again. And every time you run WSL, it's back again. And so finding that where it's coming from is part of that fun in the game. And obviously that this is really a proof of concept. I would love for

other people to be like, well [ __ ] you should do still no junior people. Cool. Uh you should do [clears throat] this other thing from WSL or hey to go into WSL try this other technique like open source. You guys could do it too or give me the idea and I'll never get to it. Um so yeah, nice little cycle there. Um, Joel, actually Joel also works for my company, my company, the company I work for, Endepth. Uh, and Joel over there also works for Endepth. And guess what? Another pentester with us, Lindsay Wizinski. You say it. >> Wizinski. >> I got number four. [laughter] Um, she wrote a cool module. [clears throat] Uh and obviously I

couldn't mention all of them so I just tried to hit some of the highlights but uh PowerShell profiles if you don't know uh there are four files that whenever you start PowerShell it runs them and think like you know your bash profile kind of file. Um, one is for the user, one's for like the user on if you only log into this box. One's like user, but you log into other boxes. It's all kinds of stupid Microsoft stuff. But, um, basically, if I can get on your box, I can write a PowerShell profile directly into your PowerShell, I'm sorry, a PowerShell payload into your PowerShell profile. And anytime you launch PowerShell, it will give you a

call back in the background blindly. It's magic. Um, telemetry. I wanted to call this one out because it's uh stupid easy. Um, in the registry there's telemetry controller controllers and you can just tell it here's my exe that will do your telemetry and then anytime telemetry runs it will also give us a shell back. Um, I mentioned that because corporate environments, I assume you all disable telemetry, but like if you don't, holy god, disabled telemetry, it has no purpose. Speaking of things that are probably enabled in your uh corporate environment, assist of technologies. Uh, so that's like magnifying glasses. Um, not high- res, high what's the color thing? high contrast uh those kinds of uh assist of

technologies. Well, it's really simple to tell Windows uh we have a brand new assist of technology. Here's the XE for it. Uh run that every time someone uh boots up this box and we just tell the registry to always run active techn or assistive technologies. Um, I think that one's going to be a lot harder to disable incorporate, but I figured I'd mention it because something to look out for. [snorts] Um, and then I didn't write it, but there's a Python module that installs into your site packages so that anytime you start Python or any program starts Python, um, it goes ahead and executes our payload. Um, I don't want to say good luck and like

you have no defense against that, but like o that sucks. How am I on time? Time time guy. You'd think for a sweet hotel there'd be like a clock in the back, but 20 minutes, you lucky ducks. So, uh, new OS techniques. Um, I wrote the bits one. Uh, Bits is Windows background intelligent transfer service. Um, you pretty much can't turn that off. Someone out there is like, "Yes, you can." Um, but it does the transferring of Windows updates in the background when your browser is like, "Hey, we got a new version." It downloaded it through Microsoft Bits. Bits is a service that uh, I mean, it's kind of self-explanatory. It downloads it intelligently transfers files in the

background. um does it async? If you reboot or your connection goes out or your Wi-Fi drops, whatever, um it will handle those errors and retry later. Um it has this nice feature called a post trigger, aka after we have finished downloading the file, we can launch a thing like the payload we just downloaded. [cough and clears throat] Um [sighs] so we uh go ahead and we add a bits job. tell it, hey, I want you to go download this file for me. Um, the funny thing was there's all these examples on the internet of people trying to abuse Microsoft Bits to show persistence techniques. But here's the thing. When you add a bits job, it immediately

downloads that file and executes it. That's not a great persistence. When you download something in like three seconds and execute it, I want it to happen tomorrow or two days from now, not instantly. I could just transfer my own .exe through my payload. Um, so the bits bits is not documented great if you're trying to do things that you're not supposed to do with it. Um, so what I ended up doing is did I mention it there? Yeah, it uh it immediately tries to get your file. Uh, it sends a head request. Your head response better be godamn perfect or it will flip uh out at you. Uh, then it tries to download the file and trying to

get it to not download the file but retry and retry later. Oh god, I spent three days in Wireshark trying to figure that one out. But um, if you send it back back a perfectly formatted HTTP response with no body, it will try again later. Uh, so that was the eventual success. Um some other techniques that we have lined up um that you know maybe I'll eventually get to uh the port processor. Um I I left up the miter attack things. Um naturally we don't have these in metas-ploit yet. They've been around for a while. Someone will eventually get to them. Hopefully not me. Um, my favorite here is time provider because you give it a DL and it

acts like it provides you time. So when your clock syncs, it will automatically execute that payload, which is awesome because everyone has to sync their clocks. So look out for that one. Oh [sighs] love that guy. Um, at plugins, I mentioned this before. So I think this is the new hotness. This is where I've been uh spending most of my time lately. Um, god forbid again that there's an app you use that doesn't have some kind of plug-in extension type thing. So, uh, I love Burp. Burp is amazing. So, it took about a year for us to get it to work right because uh, Java is the devil and I hate it. So, uh, and Burp is written

in Java, but uh, we write in a payload to Burp. uh it does it for the entire system. So as long as you have executed burp one time on your system, we drop the payload in there and it just executes in the background whenever you start burp. And it's awesome. Uh Obsidian, any Obsidian users? I am not one, but I learned things because now every time I see anybody, I'm like, "Hey, what uh what apps you use?" I'm looking for some new ones. It's a hack. Um, so Obsidian has like Obsidian written plugins, like trusted ones, and then there's untrusted user ones. And I was like, well, I can write an untrusted user one that gives me a

payload, but like no one's going to execute that. No one is like looking for some sketchy plugin on the internet, right? No. Apparently, like Obsidian doesn't have any good plugins and everyone goes into danger mode and uses userdriven plugins. So like cool. So I wrote a plugin for that. Um it is based on what vault you're using. Like the plugins are vault based, but we just write it to all of them. So who cares? Um Notepad++ obviously it's been around forever. It's been abused forever. Um no big deal on that. I put up the link qad because it was just an oddity. Um, it's not a plugin, but that specific version, uh, what is it? 552,

5.52. You can give it a cache file with a derialization vulnerability. So, it's not a plugin, but cache. So, that's kind of cool. Uh, a little different. Slide me. Oh. Oh, God. He's good. You see how quick he did that? He paused it. So, um, PowerPoint and then Linux. it it doesn't work the best this is. So, um does anyone listen to Security Now? You guys should. It's very dry, but it is awesome. Uh in January, they had an episode where this was said. [laughter] >> Yes. Plus, as easy as it would be to write a malicious plugin for Emacs, I don't think anybody's going to do that. [laughter] It's the pickings are slim. Let's put it

that way. Challenge accepted, Leo Leaport, because I was listening and um so I wrote an Emacs plugin that runs executes a shell. Uh apparently Emacs plugins are written in lisp. [snorts] Uh good news, AI has come a long way. So, I just tell Claude, "Hey, can you give me a who am I plugin that just runs who am I in a thread unblocked in the background?" And it's like, "Yeah, sure. That's totally sounds legit. You'd never want the output." So, uh, thank you very much. Um, also, if you try to contact Leo and, um, Steve, I don't know how to do it. I have sent many emails and Discord messages and they ignore all of

them, but maybe this will work. So, uh, yeah, Emacs, um, it finds where your plug-in folder is or it adds a new one and then it, uh, puts our payload in that list plugin and woohoo. Um, I wrote one for Vim because Kurt, what's the best text editor? [ __ ] nano. Hell yeah it is. um because sometimes you need to do something like I don't know close your document and I don't have 18 fingers to press on the keyboard to use uh vi. So, uh, Vim, um, again, I should mention these are all Linux, obviously. Um, but I wrote a, uh, a plugin for Vim that just executes payload because I don't think Nano has plugin. So,

again, it is the best one. You are right. Uh, work in progress. I started these like god a year ago now. I just haven't gotten back around to it. Um, but uh Kate and Joplain. Does anyone use Joplain? I don't Oh, I guess there's two in every room. Um, that is like something gross. Like the plugins are in Typescript and you have to compile them and it was like but AI has come along come around in a year. So now I'm just going to have that do it for me. Um, but yeah. So, uh, Kate and Joplin are multiOS. So, Windows people, it's, you know, when I get time, it's coming. Protect yourself. Um, this again is a Linux one, but I'm

mentioning it here because, uh, it should be painfully obvious how long it would take to port this to Windows. Probably three hours. But, uh, I check if Docker is there. If it is, I tell Docker to download it Alpine. I say, "Hey, when you build that image, uh, here's a file, my payload, my payload that you should also put into there." And then here's a quick little bash script to run my payload. And then if it, you know, crashes for whatever reason, uh, like chill out for 5 seconds, then try it again. And then do that forever. And then, uh, set that image to start every time your OS restarts. And, uh, boom. Uh so watch

your uh Docker images that are there and running all the time because if it looks like Alpine and you don't know what it is, it's probably not totally not me. That would be illegal. It's Joel. Um as we talked about before, oh time guy, where we at? When I did this at home, it was 36 minutes total. So slaying right now. Uh so if you guys have used it in metas-ploit there's a local persistence suggesture which means you got onto a box. Congratulations. Now you want to figure out how to prevestque and so it will load every single local module run the check method to see if it thinks it could work on there. Um that sounds real

smart and I like that. I like not doing work like loading dozens of modules and running the check command and then trying to interpret the output. So, uh, I wrote persistence suggest where it's the same damn thing. Uh, it loads up every persistence that there is. It looks at what OS your shell is on and it says, "Okay, well, you're on Windows, so we can throw away all the Linux ones." Uh, this screenshot is the opposite. I did it in Linux. Um, and then just runs check and then it tells you, "Is it vulnerable? Can this run?" Yes or no. Simplicity. Oh, you said 36 minutes, which means we have 15 minutes for demos, don't we? All

right Bill. I mean Joel. So, yeah. Uh, we're not going to trust Joel on the keyboard today. Um, but, uh, which one's this? What we got? >> Obsidian. >> God, five. I'm so proud of myself. Oh, I can't wait to show this video to your daughter. She's going to be proud of you, too. So, um, Obsidian. You guys use Obsidian? I I don't, but, um, we're going to start up Metas-ploit in the bottom. This doesn't look half bad up here. I did 800 by 600. It [snorts] scared to go smaller. Um, first thing we're going to do is just execute a payload on there. Easy peasy. We just need our initial access. So, nothing special, nothing to see

here. Uh you'll see at the bottom sending payload. We are there. Awesome. Then like all good demos, we are going to show who we are and the CIS info. And while that box clearly says Windows 11 on it, it is Windows 10 because I could not get Windows 11 to install on ESXi. We go ahead and copy all of our commands because we can't trust ourselves to type. We say use exploit multi-persistence obsidian plugin because uh it's in multi instead of just Windows because it works on Linux too. It goes ahead and finds your config file. From there it identifies all of your vaults. Then it uploads our plugin to your vault. It will also check to see

if you have other plugins and what they are and if they're enabled. And then it will enable itself. It'll also give you a warning if dangerous mode is uh turned on off. That was like a double negative there. Hey, you open it and guess what? At the bottom, we got our shell to open. Woo! Woo! And you saw all the popups that said like, "Warning, warning, warning, you just got a shell." I said, "No, you didn't." Oh, damn. Um, in this case, it just had a stupid name. Enjoy configurable. You can give it a description. So you could call it like super awesome table creator made by awesome guy and it would put that there

instead. But you know I went the lazy route. Uh so there's Obsidian. Let's do Burp. I love Burp. Burp's one of my favorite tools because I'm a web hack guy. Um I hate Windows to be honest. This is all very painful for me to write this stuff. Look, I got a presentation to work in Cali. I mean, that's a feat in itself. Uh, so yeah, we're going to burp. So, the beginning, same boring thing again. We're going to just get our original shell in there. User land is fine. We don't That is a very hard sign to see when you're getting blinded by one thing. And the your font is like 10 minutes. These videos are like two

minutes each. We can roll through all of them. Um, so, uh, yeah, as I was saying before, time guy gave me my warning. Original shell userland is fine because we're exploiting a user application. Interpreter there again. Let's make sure we are who we are. And then it's Windows 10 still. Um, because magic presentation gods, uh, Defender's not running. Okay, got that out of the way. So, uh, we need a writable directory for where we're actually going to put that plugin. You could be all crafty and put it in somewhere that like no one's going to find. Uh, you could put it like in the Burp folder if you had permissions or app roaming, whatever. But we go

ahead, we load up the uh, burp config file to make sure that you've run it before. Um, there's our payload. I just wrote it to the desktop just for shits and giggles. Good. Everyone's an adult. Uh, we load up Burp. And again, you're getting all those warnings that malicious plugins running in the background, right? Right. No. Come on, think about it. You got this. Oh, no. Look at that material shell number two open. So, uh, if you go to the extensions tab, Bill, good job. Good click there. And then, uh, you can see it's a Java type payload. Again, you can give it whatever name you want. Um, that's all built into the module. I just, you know, it's

presentation. You guys don't need to see me type super secret awesome uh, burp plugin. Let's do some more. We got time. Homie in the back said like 10 minutes. Oh, I don't have that one recorded. This is supposed to be a Windows presentation. >> Oh, so we can do bits, but we're going to save bits for last because bits is like a I think it's like a three minute video. Let's do uh PS profiles because it's more exciting than uh telemetry, but God love telemetry. Oh man. So, you know, the boring first minute. Yeah, Bits is fun because I think I set it to three minutes, but you also can't control bits. So, I tell Bits to retry

every minute to get the file, but then after that minute, it's not like a hard minute. It's like, hey, Bits, why don't you go do a thing? And it's like, I'll get around to doing that whenever I feel like it. But PowerShell, so this one is great because you can use it in user land like we're going to do here. You can also use it in admin land. And in fact, literally everyone's PowerShell on the entire box. Don't do that on a box that has a lot of users. You will be swimming in shells. There are worse problems in life though. Um we one of the settings that is in there is um should we bypass execution policy?

Say it with me of [ __ ] course. Um we should also create any of those files that don't exist. Um so first two errors you see there it failed to find uh the certain ones that are for the system level. Um but it did found the find the user one and see users hoodie documents Windows PowerShellprofile.ps1. We start PowerShell. Then we question why we haven't gotten our shell back. And there it is. Yay. Again, you see all those popups. And no. So, uh, that was written by um, what's her face? Um, Wizinski Lindsay. Okay. What do we got? We got time for telemetry. Let's do Oh, so telemetry and assist of technology are more or less

the same. Uh, but let's pick one. Dealer's choice. Nailed it. Joel, I had to clean it out. Um, one of the things that I am kind of glossing over is towards the bottom, uh, when we do execute. You know what? Sorry camera guy. I'm going to walk over there and make your life miserable. But you're almost done for the day. So that was that was the sound of an old man who just grunt anytime we do anything. Uh this time we are going to an admin shell um for telemetry. Fives. Got it. We're going to be solid. I feel you. Um, so we're going to run as an admin prompt because that's what you need for telemetry or assist of

technologies since we're writing into the registry. Again, Windows 10. Uh, defender, actually, I should say defender is running. It just doesn't have any definitions to use. We are going to head and really there's not really many options for this. You could give it a name. Um, I don't bother, but here we go. right here interpreter compatible cleanup RC. So as soon as you get a interpreter session, you can say run that path name and then it will automatically execute all the registry deletes, file deletes, anything that's needed to get you off the box. Uh so uh telemetry runs whenever the hell it feels like it or we can tell the schedule task that we want you to run

right now. So, I go ahead into my own shell and trigger it myself and then again start sitting here wondering why the hell I don't have a shell back yet. Questioning if I did something wrong. Should I stop the video and reshoot it for the fifth time? Probably not. Bill, how long is this? I mean, Joel, how long is this video, man? Oh, few more seconds. I guess I was busy reporting to Microsoft everything I've ever done in my entire life.

>> Here's where I start questioning my life choices. [gasps] I hope this was the good version. [laughter] But ah there we go. Oh, thank God. Um, I mean really, you know, for presentations, like you wanted to execute back immediately, but like if I'm on a gig, I want this to happen like way further in the timeline. So, uh, go ahead and hit bits because that fickle beast is going to take a minute. And that will be right on. You don't even have to hold the sign because when bits is done,

boring, boring, boring. I didn't know what order we might do this in. Um, I didn't plan on doing the videos, but you know Joel [laughter] you didn't either. I agree, man. Which is also fun when you record all these videos and you have these sweet notepads with all your commands and then you forget to copy all those commands and shut down for the day. Uh, AI is great at looking at your videos and OCRing that text. since everything is AI these days. So we got our original um interpreter uh and we are in admin land. Um so this command is again um it's got defaults and stuff but for presentation wise we set a delay of two and a half

minutes 200 seconds. Uh, we tell it to retry every 60 seconds and go and then it immediately Sorry, camera guy. So, it tells you all the commands. It runs. H me. I'm too short there. Thank you, me. Um, it immediately sends these head requests. We respond. It immediately sends the get request and we're like, bro, chill out. Send an empty body back. And uh we keep an internal time to say we will keep responding back with empty bodies until we've hit our own internal timer. Then we're going to do it. Um now, yeah, good job me highlighting that exact thing. So now is a good time for questions while we wait the next uh two minutes.

Any questions? Yeah, I got I know. I told you we're perfect on time. Question.

>> Did you just ask if I write good code? Yes. Uh, no. Um,

>> shots fired. So, uh, I brought up the clock because I got frustrated. Um, yeah. No, uh, that's part of the check method. It checks, uh, sometimes for like registry, I'll actually write in just a stupid key to make to double check that we have it instead of assuming that everyone can write or that just admins can write. Um, anytime there is a file reader, write, we're going to check that we have permission to do that first. So if it's if you get a success back on check, it should godamn work. No kids still. Okay. Uh do you know what was the same?

I don't use I'm not on this is gonna sound weird because it's open source and everybody does everything, but I'm not on the payload team. So I don't that it's going to hit on the payload XES and DLS and stuff like that. But um you know that's a cat and mouse game all the time. And I know there's a bunch of new encoders that are coming out that should do some stuff. Um there's also a malleable transport that is about halfway done by OJ out in Australia and um that's going to have more C2 flavors to it. So um the only one that is the hotness is the registry one where it writes the payload in as a registry key.

I don't know what devil's magic it uses to trigger that and I keep forgetting to look. We had a unbearded question with zero minutes left. It's going to happen. When it happens, we're done.

>> Modules are stove pipe. So, it's going to run the same. It's going to run the check on everyone. Um that being said the you know everything is looking for different stuff. So you know writing to the startup folder it's checking for right access there registry one's checking for registry stuff there. So there is probably some overlap but it's probably less than you think but AVwise um you know how someone's uh actually using a box probably a giveaway. I can admit my flaws and Nano is not one of them. Bill, what's the time? I mean, Joel, what's the time on here? How much time left is that? Because he said zero seconds. Oh, [sighs] can we speed it up a bit? I

don't. He's going to get mad at me. And he looks nice. Don't be mad at me. Time guy. That and all the smart people who like understand math just came in from next door. Come on, Joel. Oh, there we go. So, finally it uh sent the request. It wants bytes because god forbid. Uh we send it back, it executes it. Yay, we all win. That's all for questions. And uh I'm going to go on a date with my wife now. So, hell yeah. [applause]

[ feedback ]