Native Commands
Built-in commands that ship with every agent. These are simple, direct tools for common tasks with no external plugin dependencies.
Commercial additions
The commercial payload adds native commands for privilege management (privilege-enable, privilege-disable, privilege-list), a runtime DLL override system (override-*), and Linux/BSD shell access (sh, chmod). See commercial native commands →
Quick Reference
| Command | OS | Summary |
|---|---|---|
bof |
Windows | Execute a Beacon Object File |
cd |
Win / Linux / BSD | Change working directory |
cmd |
Windows | Execute a command via cmd.exe |
die |
Win / Linux / BSD | Stop the agent |
jobs |
Win / Linux / BSD | List running background tasks |
ls |
Win / Linux / BSD | List directory contents |
powershell |
Windows | Execute via PowerShell |
ps |
Win / Linux / BSD | List running processes |
run |
Win / Linux / BSD | Execute a program |
run-as |
Windows | Execute as a different user |
shutdown |
Win / Linux / BSD | Shutdown or reboot the target machine |
sleep |
Win / Linux / BSD | Adjust beacon sleep interval |
sleep-until |
Win / Linux / BSD | Pause callbacks until a specific time |
token-del |
Windows | Delete a stored token |
token-del-all |
Windows | Delete all stored tokens |
token-from-handle |
Windows | Import a token from an existing handle |
token-list |
Windows | List all stored tokens |
token-make |
Windows | Create a token from credentials |
token-steal |
Windows | Steal a token from a running process |
token-use |
Windows | Apply a stored token |
bof
Purpose: Executes a Beacon Object File (BOF) in the agent process and returns its output.
OS Support: Windows
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
@files.bofFile |
file | Yes | - | The BOF .o file to execute. |
method |
string | No | go |
Entry-point method name. |
inputArgs |
string | No | - | Simple string arguments passed to the BOF. |
inputArgsEncoding |
string | No | UTF8 |
Encoding for inputArgs. Options: UTF8, UTF16LE. |
inputAsBytes |
bytes | No | - | Binary input - overrides inputArgs when provided. |
pack_format |
string | No | - | Format string for packing structured arguments (e.g. bsZi). |
pack_args |
string[] | No | - | Argument values matching each character in pack_format. |
designated_thread |
bool | No | false |
Run on a shared persistent BOF thread instead of spawning a new one per execution. |
keep_in_memory |
bool | No | false |
Keep the BOF loaded after execution so it is reused on subsequent calls without re-uploading. |
Example:
Tip
Set keep_in_memory: true when running the same BOF repeatedly to avoid re-uploading on each execution.
Additional notes about about designated_thread & keep_in_memory parameters:
* Why designated_thread exists: It’s meant for cases where a BOF needs to be re-run on the same OS thread because certain OS features are thread-bound. A common example is Win32 window/message handling, where doing follow-up work on a different thread can break things.
What happens if two BOFs both use designated_thread = true at the same time: They won’t actually run concurrently. One BOF runs first, and the other starts only after the first one finishes and returns a result. The execution order is usually based on command ID (lower ID first), but it’s not strictly guaranteed.
What keep_in_memory = true changes: When a BOF is kept in memory and then re-run, its read/write data sections are not reset to their initial state. In other words, it retains state between runs. Whether a BOF is considered “the same one” for reuse is determined by its hash.
Relationship between designated_thread and keep_in_memory:* There isn’t one. You can set them independently in any combination or order. They don’t imply or control each other.
cd
Purpose: Changes the agent's current working directory.
OS Support: Windows, Linux, BSD
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
dir |
string | Yes | - | Target directory. Supports absolute and relative paths. |
Example:
cmd
Purpose: Executes a command string using cmd.exe.
OS Support: Windows
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
command |
string | Yes | - | The command to execute. |
stdin |
string[] | No | - | Lines sent to stdin, simulating Enter presses between each. |
outputEncoding |
string | No | Windows-1252 |
Encoding used to decode the output. |
Example:
Tip
Prefer run over cmd for programs that do not require a shell interpreter - it avoids spawning an extra cmd.exe process.
die
Purpose: Terminates the agent process immediately.
OS Support: Windows, Linux, BSD
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
erase |
bool | No | false |
When true, the agent attempts to delete itself from the filesystem before exiting (if there is a file to delete). |
Example:
Warning
This command stops the agent immediately with no confirmation prompt. The connection will drop as soon as the command is received and the agent will not reconnect.
jobs
Purpose: Lists all currently running background tasks (commands executing asynchronously).
OS Support: Windows, Linux, BSD
Parameters: None
Example:
ls
Purpose: Lists the contents of a directory, optionally recursing into subdirectories.
OS Support: Windows, Linux, BSD
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
dir |
string | No | Current directory | Directory to list. |
depth |
int | No | 1 |
Number of subdirectory levels to recurse into. |
Example:
powershell
Purpose: Executes a command or script block using PowerShell.
OS Support: Windows
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
command |
string | Yes | - | PowerShell command or script block to execute. |
stdin |
string[] | No | - | Lines sent to stdin, simulating Enter presses between each. |
outputEncoding |
string | No | Windows-1252 |
Encoding used to decode the output. |
Example:
OPSEC
PowerShell execution is highly visible to EDR solutions and Windows event logging (Event ID 4103/4104). For more evasive execution, consider using run with a compiled binary, bof for inline execution, or the commercial load-pe command.
ps
Purpose: Returns a snapshot of all running processes on the target machine.
OS Support: Windows, Linux, BSD
Parameters: None
Example:
Tip
Run ps before token-steal or inject to identify target process IDs and the user context they run under.
run
Purpose: Executes a program directly (without a shell) and optionally returns its output.
OS Support: Windows, Linux, BSD
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
cmdline |
string | Yes | - | Full command line including the program path and arguments. |
output |
bool | No | true |
Whether to capture and return stdout and stderr. |
stdin |
string[] | No | - | Lines sent to stdin, simulating Enter presses between each. |
unicode |
bool | No | false |
Treat stdin as UTF-16LE. Windows only. |
outputEncoding |
string | No | Windows-1252 |
Encoding used to decode the output. Windows only. |
Example:
run-as
Purpose: Executes a program as a different user, supplying credentials directly.
OS Support: Windows
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
cmdline |
string | Yes | - | Full command line to execute. |
username |
string | Yes | - | Username to impersonate (e.g. CORP\svc_backup). |
password |
string | Yes | - | Password for the specified user. |
output |
bool | No | true |
Whether to capture and return output. |
stdin |
string[] | No | - | Lines sent to stdin. |
unicode |
bool | No | false |
Treat stdin as UTF-16LE. |
outputEncoding |
string | No | Windows-1252 |
Encoding used to decode the output. |
Example:
Credentials in command history
Credentials passed via run-as appear in the command history. For a credential-free approach, use token-steal to capture an existing process token or token-make to create one - then apply it with token-use before running commands.
shutdown
Purpose: Shuts down or reboots the target machine.
OS Support: Windows, Linux, BSD
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
reboot |
bool | Yes | false |
When false, the machine shuts down. When true, the machine reboots instead. |
Example:
Warning
This command will immediately shut down or reboot the target machine, which will terminate the agent along with all other running processes. The agent will only reconnect after reboot if persistence has been set up.
sleep
Purpose: Adjusts the agent's callback interval for HTTP/TCP listener-based communication.
OS Support: Windows, Linux, BSD
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
sleep |
int | Yes | - | Base sleep duration in seconds. |
sleepRandom |
int | No | 0 |
Random jitter added to the base sleep (seconds). Actual interval = sleep ± sleepRandom. |
Example:
Tip
Adding jitter with sleepRandom makes beacon intervals less regular and harder to fingerprint via network-based anomaly detection.
sleep-until
Purpose: Suspends agent callbacks until a specific date and time.
OS Support: Windows, Linux, BSD
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
sleepEnds |
string | Yes | - | ISO 8601 UTC timestamp (e.g. 2025-06-01T08:00:00Z) or a Unix timestamp in seconds. |
Example:
Tip
Use sleep-until to park an agent silently overnight or across a weekend without generating any callback traffic during off-hours.
token-del
Purpose: Removes a specific token from the agent's token store by its number.
OS Support: Windows
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
nr |
int | Yes | - | Token number to delete, as shown by token-list. |
Example:
token-del-all
Purpose: Clears all tokens from the agent's token store.
OS Support: Windows
Parameters: None
Example:
token-from-handle
Purpose: Imports a token into the store from an existing Windows token handle, obtained externally (e.g. from a BOF).
OS Support: Windows
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
handle |
int | Yes | - | Numeric handle value of the token to import. Accepts decimal or hex (e.g. 0x1A4). |
Example:
Info
Handles are typically obtained from custom BOFs or external tooling that opens a token handle and returns its value. Use token-list after import to confirm the token was captured.
token-list
Purpose: Lists all tokens currently held in the agent's token store, showing their number, user, and type.
OS Support: Windows
Parameters: None
Example:
token-make
Purpose: Creates a new Windows token using a username and password and stores it for later use.
OS Support: Windows
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
username |
string | Yes | - | Username for the new token (e.g. CORP\jsmith). |
password |
string | Yes | - | Password for the user. |
netonly |
bool | No | false |
Create a network-only token - credentials are used for network auth only; local identity remains unchanged. Equivalent to runas /netonly. |
Example:
Tip
Use netonly: true when you only need the token for network access (SMB, LDAP, WMI) while keeping the current local process identity intact.
token-steal
Purpose: Duplicates a token from an existing process and stores it in the token store.
OS Support: Windows
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
pid |
int | Yes | - | Process ID to steal the token from. |
Example:
Privileges required
Stealing tokens from processes owned by other users typically requires SeDebugPrivilege or an equivalent high-integrity context. Run ps first to identify a process running under the target identity.
Tip
Full impersonation workflow: ps → token-steal → token-list → token-use → run commands → token-use --nr 0 to revert.
token-use
Purpose: Applies a stored token to all subsequent commands, or resets to the agent's default token.
OS Support: Windows
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
nr |
int | Yes | - | Token number to apply. Pass 0 to reset to the agent's original token. |
Example: