PrependMigrate with Veil

We want to start this tutorial off with stating ScriptJunkie wrote a great article on PrependMigrate and how it works.  In a nutshell, PrepentMigrate allows you to “start the shellcode in a new process”.  This great feature works very well in instances where you receive your callback, and it dies nearly immediately.  There could be multiple reason for this happening, and Metasploit’s PrependMigrate will help “save your shell”.

Now, by default, Veil payloads do not have this enabled.  In order to do utilize this feature, we will need to set this when we are creating our payload within Veil.  To begin, go ahead and start Veil, select your payload, and provide your LHOST and LPORT values.  In this instance, we’re using python/FlatInjection, however, this should work for all payload options.  When Veil asks if you have any additional msfvenom options, be sure to enter:

PrependMigrate=true

PrependMigrate

Once this has been entered, allow Veil to generate your shellcode, and then wrap it into a windows executable.

Now, simply set up your handler, drop your payload on your target machine, and execute it.  If you’re viewing the running processes on the target machine, you will see your original payload running, but also rundll32.exe.  Your meterpreter session (assuming that is your payload of choice) is now running within the rundll32.exe process and hopefully you have kept your session!

Hope this helps, feel free to ask any questions, and don’t get caught!