Skip to content

Native commands

List on native (implemented in core part of the agent) commands.

bof

This command executes bof (Beacon Object Files) file and returns output.

Parameters:

  • bofFile: BOF file to execute
  • method: What method to execute (usually "go")
  • inputArgs: Command line arguments for bof
  • inputArgsEncoding: In what encoding the command line arguments should be provided to the bof (UTF8 or UTF16LE)
  • inputAsBytes: If input for bof is binary, then it has to be provided by this parameter (if provided, the inputArgs and inputArgsEncoding parameters arge ignored)
  • pack_format: Argument packing format(s) for the BOF
  • pack_args: Array of arguments to pack for the BOF

cd

This command changes the agent working directory.

Parameters:

  • dir: What directory to move - relative(based on agent current one) or absolute

cmd

Executes given command by cmd.exe

Parameters:

  • command: Command that is executed by cmd.exe
  • stdin: Array of strings written into stdin of the process - separated by "enter"-s
  • outputEncoding: Encoding used to decode output

connection-conf

This command changes configuration of the listener shellcode running in the agent.

Currently not usable directly

Parameters:

  • listenerPluginId: ID of the listener that's shellcode in the agent is being changed
  • listenerId: ID of the listener shellcode INSIDE agent (for now it's always 1)
  • listenerConfiguration: Configuration of the changes to be made

Parameters: None

die

This command kills the agent that this command is sent to.

Parameters: None

jobs

List of commands running in the agent

ls

This command returns directory content info with given recursive depth.

Parameters:

  • dir: What directory to list
  • depth: How deep directory listing should be

ps

Process list in the agent machine

Parameters: None

powershell

Executes given command by powershell

Parameters:

  • command: Command that is executed by powershell
  • stdin: Array of strings written into stdin of the process - separated by "enter"-s
  • outputEncoding: Encoding used to decode output

run

Executes given program with the given command line arguments. If configured such way, also returns stdout and stderr streams from the process.

Parameters:

  • cmdline: Program being run and command line arguments provided to the program
  • output: Is stdout and stderr streams returned
  • stdin: Array of strings written into stdin of the process - separated by "enter"-s
  • unicode: Is stdin written in UTF-16 encoding (default is false)
  • outputEncoding: Encoding used to decode output

sleep

Changes sleep time and random variation in agent connection to HTTP/HTTPS listener. This command is available only to agents that are communicating over HTTP/HTTPS listener

Parameters:

  • sleep: Sleep time in seconds
  • sleepRandom: Plus-minus how many seconds sleep time can vary

sleep-until

Specifies a time until when agent should sleep.

Parameters:

  • sleepEnds can be ISO-formatted date string in ZuluTime or UNIX timestamp until when the Agent should sleep for. Eg. 2022-12-15T21:07:49.883Z or 1725494134

token-add

This command tries to steal token from existing process and store it.

Parameters:

  • pid: From what process to take token

token-del

This command will delete a single token

Parameters:

  • nr: Number of the token to delete

token-del-all

This command will delete all the tokens

Parameters: None

token-list

This command returns list of tokens (number and username relating to it)

Parameters: None

token-make

This command tries to create token by using username and password.

Parameters:

  • username: Username to use
  • password: Password to use

token-use

This command makes agent use the selected token for all commands possible

Parameters:

  • nr: Number of the token to use (0 to reset back to agent original)