Windows Executable

Attacks -> Packages -> Windows Executable generates a Windows executable artifact that delivers a Win32 Listener. This package gives you several output options:

Windows EXE is a Windows executable.

Windows Service EXE is a Windows executable that responds to Service Control Manager commands. You may use this executable to create a Windows service with sc or as a custom executable with the Metasploit® Framework's PsExec modules.

Windows DLL (32-bit) is an x86 Windows DLL.

Windows DLL (64-bit) is an x64 Windows DLL. If Use x64 payload is not checked, the x64 DLL will spawn a 32-bit process and migrate your listener to it.

The x86 and x64 DLL options export a StartW function that is compatible with rundll32.exe. Use the architecture-appropriate rundll32.exe to load your DLL from the command line.

rundll32 foo.dll,StartW

This feature generates x86 artifacts that deliver x86 stages by default (unless otherwise noted). Check the Use x64 payload box to generate an x64 artifact that contains an x64 payload stage.

Check the Sign executable file box to sign an EXE or DLL artifact with a code-signing certificate. You must specify a certificate in a Malleable C2 profile.

Cobalt Strike uses its Artifact Kit to generate this output.