
       Name: HTTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)
     Module: payload/cmd/windows/http/x64/custom/reverse_https
   Platform: Windows
       Arch: 
Evasion options for payload/cmd/windows/http/x64/custom/reverse_https:
=========================

ters-r7
    hdm <x@hdm.io>
    agix
    rwincey

Basic options:
Name                Current Setting  Required  Description
----                ---------------  --------  -----------
EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
FETCH_DELETE        false            yes       Attempt to delete the binary after execution
FETCH_FILENAME      JwRhtGwNOK       no        Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_SRVHOST                        no        Local IP to use for serving payload
FETCH_SRVPORT       8080             yes       Local port to use for serving payload
FETCH_URIPATH                        no        Local URI to use for serving payload
FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
LHOST                                yes       The local listener hostname
LPORT               8443             yes       The local listener port
LURI                                 no        The HTTP Path
SHELLCODE_FILE                       no        Shellcode bin to launch


When FETCH_COMMAND is one of CURL:

Name        Current Setting  Required  Description
----        ---------------  --------  -----------
FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.

Description:
    Fetch and execute an x64 payload from an HTTP server.
    Custom shellcode stage.

    Tunnel communication over HTTP (Windows x64 wininet)


    Name                        Current Setting                                                                                                         Required  Description
    ----                        ---------------                                                                                                         --------  -----------
    EXE::Custom                                                                                                                                         no        Use custom exe instead of automatically generating a payload exe
    EXE::EICAR                  false                                                                                                                   no        Generate an EICAR file instead of regular payload exe
    EXE::FallBack               false                                                                                                                   no        Use the default template in case the specified one is missing
    EXE::Inject                 false                                                                                                                   no        Set to preserve the original EXE function
    EXE::OldMethod              false                                                                                                                   no        Set to use the substitution EXE generation method.
    EXE::Path                                                                                                                                           no        The directory in which to look for the executable template
    EXE::Template                                                                                                                                       no        The executable template file name.
    EnableStageEncoding         false                                                                                                                   no        Encode the second stage payload
    FetchHandlerDisable         false                                                                                                                   yes       Disable fetch handler
    FetchHttpServerName         Apache                                                                                                                  yes       Fetch HTTP server name
    FetchListenerBindAddress                                                                                                                            no        The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
    FetchListenerBindPort                                                                                                                               no        The port to bind to if different from FETCH_SRVPORT
    HandlerSSLCert                                                                                                                                      no        Path to a SSL certificate in unified PEM format
    HttpCookie                                                                                                                                          no        An optional value to use for the Cookie HTTP header
    HttpHostHeader                                                                                                                                      no        An optional value to use for the Host HTTP header
    HttpProxyHost                                                                                                                                       no        An optional proxy server IP address or hostname
    HttpProxyPass                                                                                                                                       no        An optional proxy server password Max parameter length: 63 characters
    HttpProxyPort                                                                                                                                       no        An optional proxy server port
    HttpProxyType               HTTP                                                                                                                    yes       The type of HTTP proxy (Accepted: HTTP, SOCKS)
    HttpProxyUser                                                                                                                                       no        An optional proxy server username Max parameter length: 63 characters
    HttpReferer                                                                                                                                         no        An optional value to use for the Referer HTTP header
    HttpServerName              Apache                                                                                                                  no        The server header that the handler will send in response to requests
    HttpUnknownRequestResponse  <html><body><h1>It works!</h1></body></html>                                                                            no        The returned HTML response body when the handler receives a request that is not from a payload
    HttpUserAgent               Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15  no        The user-agent that the payload should use for communication Max parameter length: 255 characters
    IgnoreUnknownPayloads       false                                                                                                                   no        Whether to drop connections from payloads using unknown UUIDs
    MSI::Custom                                                                                                                                         no        Use custom msi instead of automatically generating a payload msi
    MSI::EICAR                  false                                                                                                                   no        Generate an EICAR file instead of regular payload msi
    MSI::Path                                                                                                                                           no        The directory in which to look for the msi template
    MSI::Template                                                                                                                                       no        The msi template file name
    MSI::UAC                    false                                                                                                                   no        Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
    OverrideLHOST                                                                                                                                       no        When OverrideRequestHost is set, use this value as the host name for secondary requests
    OverrideLPORT                                                                                                                                       no        When OverrideRequestHost is set, use this value as the port number for secondary requests
    OverrideRequestHost         false                                                                                                                   no        Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
    OverrideScheme                                                                                                                                      no        When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
    PayloadUUIDName                                                                                                                                     no        A human-friendly name to reference this unique payload (requires tracking)
    PayloadUUIDRaw                                                                                                                                      no        A hex string representing the raw 8-byte PUID value for the UUID
    PayloadUUIDSeed                                                                                                                                     no        A string to use when generating the payload UUID (deterministic)
    PayloadUUIDTracking         false                                                                                                                   yes       Whether or not to automatically register generated UUIDs
    PingbackRetries             0                                                                                                                       yes       How many additional successful pingbacks
    PingbackSleep               30                                                                                                                      yes       Time (in seconds) to sleep between pingbacks
    PrependMigrate              false                                                                                                                   yes       Spawns and runs shellcode in new process
    PrependMigrateProc                                                                                                                                  no        Process to spawn and run shellcode in
    ReverseAllowProxy           false                                                                                                                   yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
    ReverseListenerBindAddress                                                                                                                          no        The specific IP address to bind to on the local system
    ReverseListenerBindPort                                                                                                                             no        The port to bind to on the local system if different from LPORT
    ReverseListenerComm                                                                                                                                 no        The specific communication channel to use for this listener
    SSLVersion                  Auto                                                                                                                    yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
    StageEncoder                                                                                                                                        no        Encoder to use if EnableStageEncoding is set
    StageEncoderSaveRegisters                                                                                                                           no        Additional registers to preserve in the staged payload if EnableStageEncoding is set
    StageEncodingFallback       true                                                                                                                    no        Fallback to no encoding if the selected StageEncoder is not compatible
    StagerRetryCount            10                                                                                                                      no        The number of times the stager should retry if the first connect fails
    StagerRetryWait             5                                                                                                                       no        Number of seconds to wait for the stager between reconnect attempts
    StagerURILength                                                                                                                                     no        The URI length for the stager (at least 5 bytes)
    StagerVerifySSLCert         false                                                                                                                   no        Whether to verify the SSL certificate in Meterpreter
    VERBOSE                     false                                                                                                                   no        Enable detailed status messages
    WORKSPACE                                                                                                                                           no        Specify the workspace for this module

