
       Name: HTTP Fetch, Windows x64 Bind Named Pipe Stager
     Module: payload/cmd/windows/http/x64/meterpreter/bind_named_pipe
   Platform: Windows
       Arch: cmd
Needs Admin: No
 Total size: 123
       Rank: Normal

Provided by:
    Brendan Watters
    skape <mmiller@hick.org>
    sf <stephen_fewer@harmonysecurity.com>
    OJ Reeves
    UserExistsError

Basic options:
Name                Current Setting  Required  Description
----                ---------------  --------  -----------
EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
FETCH_DELETE        false            yes       Attempt to delete the binary after execution
FETCH_FILENAME      muMiieiQ         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_SRVHOST                        yes       Local IP to use for serving payload
FETCH_SRVPORT       8080             yes       Local port to use for serving payload
FETCH_URIPATH                        no        Local URI to use for serving payload
FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
LPORT               445              yes       SMB port
PIPENAME            msf-pipe         yes       Name of the pipe to connect to
RHOST                                no        Host of the pipe to connect to
SMBDomain           .                no        The Windows domain to use for authentication
SMBPass                              no        The password for the specified username
SMBUser                              no        The username to authenticate as


When FETCH_COMMAND is one of CURL:

Name        Current Setting  Required  Description
----        ---------------  --------  -----------
FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.

Description:
    Fetch and execute an x64 payload from an HTTP server.
    Listen for a pipe connection (Windows x64)


    Name                         Current Setting  Required  Description
    ----                         ---------------  --------  -----------
    AutoLoadStdapi               true             yes       Automatically load the Stdapi extension
    AutoRunScript                                 no        A script to run automatically on session creation.
    AutoSystemInfo               true             yes       Automatically capture system information on initialization.
    AutoUnhookProcess            false            yes       Automatically load the unhook extension and unhook the process
    AutoVerifySessionTimeout     30               no        Timeout period to wait for session validation to occur, in seconds
    EXE::Custom                                   no        Use custom exe instead of automatically generating a payload exe
    EXE::EICAR                   false            no        Generate an EICAR file instead of regular payload exe
    EXE::FallBack                false            no        Use the default template in case the specified one is missing
    EXE::Inject                  false            no        Set to preserve the original EXE function
    EXE::OldMethod               false            no        Set to use the substitution EXE generation method.
    EXE::Path                                     no        The directory in which to look for the executable template
    EXE::Template                                 no        The executable template file name.
    EnableStageEncoding          false            no        Encode the second stage payload
    EnableUnicodeEncoding        false            yes       Automatically encode UTF-8 strings as hexadecimal
    FetchHandlerDisable          false            yes       Disable fetch handler
    FetchHttpServerName          Apache           yes       Fetch HTTP server name
    FetchListenerBindAddress                      no        The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
    FetchListenerBindPort                         no        The port to bind to if different from FETCH_SRVPORT
    HandlerSSLCert                                no        Path to a SSL certificate in unified PEM format, ignored for HTTP transports
    InitialAutoRunScript                          no        An initial script to run on session creation (before AutoRunScript)
    MSI::Custom                                   no        Use custom msi instead of automatically generating a payload msi
    MSI::EICAR                   false            no        Generate an EICAR file instead of regular payload msi
    MSI::Path                                     no        The directory in which to look for the msi template
    MSI::Template                                 no        The msi template file name
    MSI::UAC                     false            no        Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
    MeterpreterDebugBuild        false            no        Use a debug version of Meterpreter
    MeterpreterDebugLogging                       no        The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
    PayloadProcessCommandLine                     no        The displayed command line that will be used by the payload
    PayloadUUIDName                               no        A human-friendly name to reference this unique payload (requires tracking)
    PayloadUUIDRaw                                no        A hex string representing the raw 8-byte PUID value for the UUID
    PayloadUUIDSeed                               no        A string to use when generating the payload UUID (deterministic)
    PayloadUUIDTracking          false            yes       Whether or not to automatically register generated UUIDs
    PingbackRetries              0                yes       How many additional successful pingbacks
    PingbackSleep                30               yes       Time (in seconds) to sleep between pingbacks
    PrependMigrate               false            yes       Spawns and runs shellcode in new process
    PrependMigrateProc                            no        Process to spawn and run shellcode in
    SMBDirect                    true             yes       The target port is a raw SMB service (not NetBIOS)
    SessionCommunicationTimeout  300              no        The number of seconds of no activity before this session should be killed
    SessionExpirationTimeout     604800           no        The number of seconds before this session should be forcibly shut down
    SessionRetryTotal            3600             no        Number of seconds try reconnecting for on network failure
    SessionRetryWait             10               no        Number of seconds to wait between reconnect attempts
    StageEncoder                                  no        Encoder to use if EnableStageEncoding is set
    StageEncoderSaveRegisters                     no        Additional registers to preserve in the staged payload if EnableStageEncoding is set
    StageEncodingFallback        true             no        Fallback to no encoding if the selected StageEncoder is not compatible
    VERBOSE                      false            no        Enable detailed status messages
    WAIT_TIMEOUT                 10               no        Seconds pipe will wait for a connection
    WORKSPACE                                     no        Specify the workspace for this module

