Nice post. I'm getting back into C++ myself and appreciate the sample code.

For whatever reason, Symantec only has an attack signature for Meterpreter's reverse_tcp payload: http://www.symantec.com/security_response/attacksignatures/ It's the stupidest thing in the world. Bind_tcp, reverse_https like you used, etc. work just fine.

Depending on the configuration, you are sometimes unable to disable smc in that manner (I believe this is functionality that can be disabled via the management console), so it's good to know about the alternate payloads.

Also, SEP was catching default msfvenom exes, but using the -t option with pslist.exe got around that. Sometimes it's just too easy.

Yeah so....I actually used the reverse_tcp meterpreter payload and not https. Also I didn't stop the Smc.exe process. That is still running.

Stopping the Smc.exe process is <path>\smc -stop

As opposed to a <path>\smc -disable -ntp that targets the ntp. And ntp doesnt stay dead for very long. It comes back online in 5 minutes. I timed it

However even when it does it won't kill your meterpreter session

I tell you though I havn't looked at c++ in a while though......