Execution context
Native commands are executed within the agent's own process, while plugin commands offer flexibility in execution context, allowing for execution within different processes if configured accordingly. Plugin commands are implemented as shellcodes and can be executed in one of three ways:
-
Within the agent's own process (Default): The command shellcode executes within the agent's own process. This method is typically the least detectable by antivirus (AV) tools.
-
In a new process: The command shellcode executes within a newly created process. Users can opt to either suspend the main thread of this process upon creation or allow it to run uninterrupted. When selecting this execution context, users must specify the process to be created. Additionally, users have the option to provide a username and password, in which case the new process executes under those credentials.
-
In an existing process: The command shellcode executes within an already existing process. Users selecting this execution context must specify the Process ID (PID) into which the shellcode will be injected. Agent process of course have to have enough access rights to open that process.