Metasploit

exe

Windows executable

elf

Linux executable

aspx

ASP.NET web payload

jsp

Java Server Pages

war

Java web archive

php

PHP script

py

Python script

pl

Perl script

rb

Ruby script

raw

Raw shellcode

c

C code

ps1

PowerShell script

dll

Windows DLL

msi

Windows installer

background / bg

Background the current session

exit / quit

Terminate the Meterpreter session

guid

Get the session GUID

help

Display the help menu

info

Display information about a Post module

irb

Open an interactive Ruby shell on the session

load

Load one or more Meterpreter extensions

migrate

Migrate the server to another process

run

Execute a Meterpreter script or Post module

sessions

Quickly switch to another session

sleep

Force Meterpreter to go quiet, then re-establish

transport

Change the current transport mechanism

uuid

Get the UUID for the current session

cd

Change directory

ls / dir

List files in current directory

pwd / getwd

Print working directory

cat

Read the contents of a file

edit

Edit a file (vim)

rm

Delete the specified file

mv

Move source to destination

cp

Copy source to destination

mkdir

Make directory

rmdir

Remove directory

upload

Upload a file or directory

download

Download a file or directory

search

Search for files

checksum

Retrieve the checksum of a file

show_mount

List all mount points/logical drives

lcd

Change local working directory

lpwd / getlwd

Print local working directory

lls

List local files

arp

Display the host ARP cache

ifconfig / ipconfig

Display network interfaces

netstat

Display the network connections

portfwd

Forward a local port to a remote service

route

View and modify the routing table

resolve

Resolve hostnames on the target

getproxy

Display the current proxy configuration

clearev

Clear the event log

execute

Execute a command

getpid

Get the current process identifier

getuid

Get the user the server is running as

getsid

Get the SID of the running user

getprivs

Attempt to enable all privileges for the current process

getenv

Get environment variable values

kill

Terminate a process

pkill

Terminate processes by name

pgrep

Filter processes by name

ps

List running processes

shell

Drop into a system command shell

sysinfo

Get information about the remote system

reboot

Reboot the remote computer

shutdown

Shut down the remote computer

reg

Modify and interact with the remote registry

steal_token

Steal an impersonation token from a process

drop_token

Relinquish any active impersonation token

rev2self

Calls RevertToSelf() on the remote machine

localtime

Display the target system's local date and time

suspend

Suspend or resume a list of processes

enumdesktops

List all accessible desktops and window stations

screenshot

Grab a screenshot of the interactive desktop

screenshare

Watch the remote user's desktop in real-time

keyscan_start

Start capturing keystrokes

keyscan_dump

Dump the keystroke buffer

keyscan_stop

Stop capturing keystrokes

keyboard_send

Send keystrokes

idletime

Returns seconds the remote user has been idle

record_mic

Record audio from the default microphone for X seconds

webcam_list

List webcams

webcam_snap

Take a snapshot from the specified webcam

webcam_stream

Play a video stream from the specified webcam

getsystem

Attempt to elevate privilege to local system

hashdump

Dump the contents of the SAM database

timestomp

Manipulate file MACE attributes

creds_all

Retrieve all credentials (parsed)

creds_kerberos

Retrieve Kerberos creds (parsed)

creds_msv

Retrieve LM/NTLM creds (parsed)

creds_ssp

Retrieve SSP creds

creds_tspkg

Retrieve TsPkg creds (parsed)

creds_wdigest

Retrieve WDigest creds (parsed)

dcsync

Retrieve user account information via DCSync

dcsync_ntlm

Retrieve user NTLM hash, SID and RID via DCSync

golden_ticket_create

Create a golden kerberos ticket

kerberos_ticket_list

List all kerberos tickets

kerberos_ticket_purge

Purge any in-use kerberos tickets

kerberos_ticket_use

Use a kerberos ticket

kiwi_cmd

Execute an arbitrary mimikatz command

lsa_dump_sam

Dump LSA SAM

lsa_dump_secrets

Dump LSA secrets

password_change

Change the password/hash of a user

wifi_list

List wifi profiles/creds for the current user

wifi_list_shared

List shared wifi profiles/creds (requires SYSTEM)

-H

Create the process hidden from view

-a

Arguments to pass to the command

-i

Interact with the process after creating it

-m

Execute from memory

-t

Execute with currently impersonated thread token

-s

Execute process in a given session as the session user

Endpoint

Software on the host (AV, anti-malware, host firewall, anti-DDoS)

Perimeter

Physical/virtual devices at the network edge (IDS/IPS, network firewalls, WAF)

Signature-based

Compares packets/files against known attack pattern signatures

Heuristic / Statistical Anomaly

Behavioral comparison against established baselines

Stateful Protocol Analysis

Recognizes divergence from accepted protocol definitions

Live SOC Monitoring

Analysts using live-feed software to monitor and alert

UPX

Open source, widely used

The Enigma Protector

Commercial

MPRESS

Lightweight

Themida

Advanced anti-debugging

MEW

Minimal

ExeStealth

Stealth-oriented