module
WMI Event Subscription Process Persistence
| Disclosed | Created |
|---|---|
| Jun 6, 2017 | Jan 14, 2026 |
Disclosed
Jun 6, 2017
Created
Jan 14, 2026
Description
This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter
that triggers the payload when the specified process is started.
Additionally a custom command can be specified to run once the trigger is
activated using the advanced option CustomPsCommand. This module requires administrator level privileges as well as a
high integrity process. It is also recommended to use staged payloads due to powershell script length limitations.
Many built-in apps on Windows 10/11 launch via a modern UWP app (Win32Bridge.Server.exe or ApplicationFrameHost.exe),
not the legacy binary (like calc.exe). If you pick one of these apps, like calc.exe, it can still be triggered
from command line, however GUI execution will not work.
Duplicate CLASSNAMEs will not overwrite, so if the env isn't cleaned up before
re-exploitation, the exploitation will fail.
Tested and works being launched from GUI (windows 10):
chrome.exe (several shells at once)
calc.exe (only from command line calc.exe or calc)
msedge.exe (several shells at once)
cmd.exe
that triggers the payload when the specified process is started.
Additionally a custom command can be specified to run once the trigger is
activated using the advanced option CustomPsCommand. This module requires administrator level privileges as well as a
high integrity process. It is also recommended to use staged payloads due to powershell script length limitations.
Many built-in apps on Windows 10/11 launch via a modern UWP app (Win32Bridge.Server.exe or ApplicationFrameHost.exe),
not the legacy binary (like calc.exe). If you pick one of these apps, like calc.exe, it can still be triggered
from command line, however GUI execution will not work.
Duplicate CLASSNAMEs will not overwrite, so if the env isn't cleaned up before
re-exploitation, the exploitation will fail.
Tested and works being launched from GUI (windows 10):
chrome.exe (several shells at once)
calc.exe (only from command line calc.exe or calc)
msedge.exe (several shells at once)
cmd.exe
Authors
Nick Tyrer @NickTyrer
h00die
h00die
Platform
Windows
Architectures
x64, x86, aarch64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.