module
Windows WSL via Registry Persistence
| Disclosed | Created |
|---|---|
| Jan 29, 2022 | Nov 20, 2025 |
Disclosed
Jan 29, 2022
Created
Nov 20, 2025
Description
This module will install a payload in WSL and execute it at user
logon or system startup via the registry value in "CurrentVersion\Run"
or "RunOnce" (depending on privilege and selected method).
The payload will be installed completely in registry.
Staged payloads, like fetch payloads in linux X64 don't tend to work. The payload
will ask for the stage, then submit the HTTP fetch request
and when the payload is sent it doesn't execute.
`cmd/linux/http/x64/meterpreter_reverse_tcp` and unix cmd payloads tend to work.
logon or system startup via the registry value in "CurrentVersion\Run"
or "RunOnce" (depending on privilege and selected method).
The payload will be installed completely in registry.
Staged payloads, like fetch payloads in linux X64 don't tend to work. The payload
will ask for the stage, then submit the HTTP fetch request
and when the payload is sent it doesn't execute.
`cmd/linux/http/x64/meterpreter_reverse_tcp` and unix cmd payloads tend to work.
Authors
Joe Helle
h00die
h00die
Platform
Linux,Unix
Architectures
cmd, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.