Skip to content

Execution Context

Plugin commands can run in different ways, giving you flexibility. In contrast, native commands always run in the agent’s own process. Plugin commands deliver an ExecUnit — executable code that can be native shellcode, a native DLL, a .NET DLL, or a .NET executable — and that ExecUnit is executed in one of these ways:

  • In the agent’s own process (Default):
    The ExecUnit runs inside the agent process. This is usually the most stealthy option.

  • In a new process:
    A new process is created to host the ExecUnit. You can choose to suspend the process’s main thread or let it run normally. When using this option, you must specify which process to create. Optionally, you can supply a username and password for running under different credentials.

  • In an existing process:
    The ExecUnit is injected into a running process. You must provide the target Process ID (PID) and ensure you have sufficient permissions to access that process.

The C2 automatically picks the best ExecUnit format (shellcode, native DLL, .NET DLL, or .NET EXE) based on what the command supports and what the agent reports as capable. Agents advertise separate capability sets for self-process and remote-process execution, so the chosen execution context may influence which format is used. Advanced users can request a specific format with execUnitType/exec_unit_type; the C2 rejects the command if that format is not supported by both the command and the agent.