TL;DR
This guide shows you how to attach a Meterpreter session to a process that didn’t start through a typical exploit (an orphaned or stageless session). This is useful when a payload lands in memory directly, bypassing standard exploitation stages.
Steps
- Identify the Process ID (PID)
- Process Explorer: Download and run Process Explorer from Microsoft (https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer). Look for the process name or any other identifying information that matches your payload’s behaviour.
- Tasklist: Open a command prompt and use
tasklistto list running processes. You can filter by image name usingtasklist /FI "IMAGENAME eq. Replace <process_name> with the expected process name." - PsGetSid: If you have access, use a PowerShell command like this to find processes by user:
powershell Get-Process | Where-Object {$_.UserName -eq "NT AUTHORITYSYSTEM"} - Use the
psinjectCommand - Replace <your_meterpreter_session_number> with the number of your existing Meterpreter session.
- Replace <target_PID> with the process ID you identified in Step 1.
- Verify Attachment
- Check your existing session in msfconsole. You should see a new Meterpreter shell associated with the PID you injected into.
- Use commands like
getuidorps -xwithin the newly attached session to confirm that it’s running under the correct context (the process you targeted). - Troubleshooting
- Permissions: Ensure your Meterpreter session has sufficient permissions to inject into the target process. Administrator or SYSTEM privileges are often required.
- Anti-Virus/EDR: Anti-virus software or Endpoint Detection and Response (EDR) solutions may block the injection attempt. Try bypassing techniques if necessary.
- Process Integrity: Some processes have integrity checks that prevent code injection. You might need to find a different process to attach to.
First, you need to find the PID of the process your Meterpreter payload has landed in. You can do this using several methods:
The psinject command is used to inject Meterpreter into an existing process. It’s part of Metasploit.
Open a Metasploit console (msfconsole).
msf6 > use post/multi/managemsf6 post/multi/manage > set SESSION msf6 post/multi/manage > psinject PID=After running psinject, Metasploit will attempt to attach Meterpreter to the specified process.