Revision Historyβ
| Date | Author | Summary |
|---|
| 21-MAR-2026 | CW2 Bernadotte | Initial draft |
Purposeβ
This AID provides a practical command reference for Metasploit Framework usage during Cyber Threat Emulation (CTE) missions. The focus is on setup, workflow, payload generation, post-exploitation fundamentals, pivoting, and evasion - not on specific ATT&CK technique execution.
End-Stateβ
- Operators can initialize, configure, and navigate Metasploit efficiently from a Kali VM.
- Operators can generate and deliver payloads using
msfvenom with appropriate evasion applied.
- Operators can manage sessions, navigate Meterpreter, and set up pivots through compromised hosts.
- Operators understand which MSF settings reduce detection footprint without requiring custom tooling.
Requirementsβ
| Requirement | Notes |
|---|
| Kali Linux VM | Metasploit Framework pre-installed |
| Network access to target(s) | Required for exploitation and handler callbacks |
msfdb initialized | PostgreSQL backend - required for workspace and host tracking |
| Valid credentials or known vulnerability | Exploitation requires a foothold vector |
Considerationsβ
- OPSEC - Port Selection: Default MSF listener ports (
4444, 4445) are well-known and frequently blocked or alerted on. Try to use 443, 80, or 8443 for handlers to try and blend in with common network traffic.
- OPSEC - Protocol: Prefer HTTPS (
reverse_https) over HTTP or raw TCP for callbacks. HTTP and raw TCP payloads transmit stage data and C2 traffic in plaintext, visible to any inline inspection.
- OPSEC - Staged vs Stageless: Staged payloads (
windows/x64/meterpreter/reverse_https) make a second network connection to download the stage - two connections, more detectable over the network. Stageless (windows/x64/meterpreter_reverse_https) embed the full payload in the file - single connection, less network noise, but more likely to be detected by endpoint security.
- Cleanup: Remove uploaded files, close sessions, and drop listeners when finished. MSF does not auto-clean.