Meterpreter: Attach to Orphaned Session

G5 Cyber Security

1 week ago

TL;DR

This guide shows you how to attach a Meterpreter session to a process that didn’t start through a typical exploit (an orphaned or stageless session). This is useful when a payload lands in memory directly, bypassing standard exploitation stages.

Steps

Identify the Process ID (PID)

First, you need to find the PID of the process your Meterpreter payload has landed in. You can do this using several methods:

Process Explorer: Download and run Process Explorer from Microsoft (https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer). Look for the process name or any other identifying information that matches your payload’s behaviour.
Tasklist: Open a command prompt and use tasklist to list running processes. You can filter by image name using tasklist /FI "IMAGENAME eq ". Replace <process_name> with the expected process name.
PsGetSid: If you have access, use a PowerShell command like this to find processes by user:
```
powershell Get-Process | Where-Object {$_.UserName -eq "NT AUTHORITYSYSTEM"}
```

Use the psinject Command

The psinject command is used to inject Meterpreter into an existing process. It’s part of Metasploit.

Open a Metasploit console (msfconsole).

msf6 > use post/multi/manage

msf6 post/multi/manage > set SESSION

msf6 post/multi/manage > psinject PID=

Replace <your_meterpreter_session_number> with the number of your existing Meterpreter session.
Replace <target_PID> with the process ID you identified in Step 1.

Verify Attachment

After running psinject, Metasploit will attempt to attach Meterpreter to the specified process.

Check your existing session in msfconsole. You should see a new Meterpreter shell associated with the PID you injected into.
Use commands like getuid or ps -x within the newly attached session to confirm that it’s running under the correct context (the process you targeted).

Troubleshooting

Permissions: Ensure your Meterpreter session has sufficient permissions to inject into the target process. Administrator or SYSTEM privileges are often required.
Anti-Virus/EDR: Anti-virus software or Endpoint Detection and Response (EDR) solutions may block the injection attempt. Try bypassing techniques if necessary.
Process Integrity: Some processes have integrity checks that prevent code injection. You might need to find a different process to attach to.