The Meterpreter Payload is a specific type of multi-faceted, extensible Payload that uses DLL injection to ensure the connection to the victim host is stable and difficult to detect using simple checks and can be configured to be persistent across reboots or system changes. Furthermore, Meterpreter resides entirely in the memory of the remote host and leaves no traces on the hard drive, making it difficult to detect with conventional forensic techniques.

https://www.rapid7.com/blog/post/2015/03/25/stageless-meterpreter-payloads/

https://www.blackhillsinfosec.com/modifying-metasploit-x64-template-for-av-evasion/

Running Meterpreter

When the exploit is completed, the following events occur:

• The target executes the initial stager. This is usually a bind, reverse, findtag, passivex, etc.
• The stager loads the DLL prefixed with Reflective. The Reflective stub handles the loading/injection of the DLL.
• The Meterpreter core initializes, establishes an AES-encrypted link over the socket, and sends a GET. Metasploit receives this GET and configures the client.
• Lastly, Meterpreter loads extensions. It will always load stdapi and load priv if the module gives administrative rights. All of these extensions are loaded over AES encryption.

MSF -Dumping Hashes

hashdump

lsa_dump_sam

lsa_dump_secrets