Native Command TLV Structures

Command Index

Code	Name	Platform
`0x01`	DIE	All
`0x02`	SET_LISTENER_CONF	All
`0x03`	CD	All
`0x04`	LS	All
`0x05`	PROCLIST	All
`0x06`	COMMAND_LIST	All
`0x07`	RUN	All
`0x08`	CHMOD	Linux / BSD
`0x09`	SHUTDOWN	All
`0x41`	BOF	Windows
`0x42`	TOKEN_STEAL	Windows
`0x43`	TOKEN_USE	Windows
`0x44`	TOKEN_DELETE	Windows
`0x45`	TOKEN_DELETE_ALL	Windows
`0x46`	TOKEN_LIST	Windows
`0x47`	TOKEN_MAKE	Windows
`0x48`	TOKEN_FROM_HANDLE	Windows
`0x49`	PRIVILEGE_LIST	Windows-commercial
`0x4A`	PRIVILEGE_ENABLE	Windows-commercial
`0x4B`	PRIVILEGE_DISABLE	Windows-commercial
`0x51`	OVERRIDE_ADD	Windows-commercial
`0x52`	OVERRIDE_LIST	Windows-commercial
`0x53`	OVERRIDE_REMOVE	Windows-commercial
`0x54`	OVERRIDE_SET	Windows-commercial
`0x55`	OVERRIDE_UNSET	Windows-commercial

0x01 — DIE

Terminates the agent process, optionally erasing the agent binary from the filesystem.

Input (CONF)

ID: 0x1 TYPE: INT32 required: no VALUE: If non-zero, erase agent binary from filesystem before dying

Output

None (process exits).

0x02 — SET_LISTENER_CONF

Reconfigures the agent's listener (C2 communication settings) at runtime.

Input (CONF)

ID: 0x2 TYPE: BLOB required: YES VALUE: Raw listener configuration blob

Output

Success or error only (no result data).

0x03 — CD

Changes the agent's current working directory.

Input (CONF)

ID: 0x1 TYPE: STR_UTF8 required: YES VALUE: Target directory path (Unicode on Windows, ASCII on Linux/BSD)

Output

Success or error only (no result data).

0x04 — LS

Lists files and directories. Supports wildcards and recursive depth.

Input (CONF)

ID: 0x1 TYPE: STR_UTF8 required: YES VALUE: Directory path or glob pattern (Unicode on Windows, ASCII on Linux/BSD)
ID: 0x2 TYPE: INT32 required: no VALUE: Recursion depth (default: 1)

Output (result data bytes)

ID: 0x83 TYPE: PARENT VALUE: result root
- ID: 0x81 TYPE: PARENT VALUE: directory entry (one per directory found)
  - ID: 0x1 TYPE: STR_UTF8 VALUE: directory name
  - ID: 0x83 TYPE: PARENT VALUE: nested directory/file entries (same structure, populated when DEPTH > 1)
  - ID: 0x4 TYPE: INT64 VALUE: creation time (Unix timestamp)
  - ID: 0x5 TYPE: INT64 VALUE: last access time (Unix timestamp)
  - ID: 0x6 TYPE: INT64 VALUE: last write/modify time (Unix timestamp)
  - ID: 0x7 TYPE: INT32 VALUE: Unix mode bits [Linux/BSD only]
  - ID: 0x8 TYPE: STR_UTF8 VALUE: owner username [Linux/BSD only]
  - ID: 0x9 TYPE: STR_UTF8 VALUE: group name [Linux/BSD only]
- ID: 0x82 TYPE: PARENT VALUE: file entry (one per file found)
  - ID: 0x1 TYPE: STR_UTF8 VALUE: filename
  - ID: 0x2 TYPE: INT64 VALUE: file size in bytes
  - ID: 0x4 TYPE: INT64 VALUE: creation time (Unix timestamp)
  - ID: 0x5 TYPE: INT64 VALUE: last access time (Unix timestamp)
  - ID: 0x6 TYPE: INT64 VALUE: last write/modify time (Unix timestamp)
  - ID: 0x7 TYPE: INT32 VALUE: Unix mode bits [Linux/BSD only]
  - ID: 0x8 TYPE: STR_UTF8 VALUE: owner username [Linux/BSD only]
  - ID: 0x9 TYPE: STR_UTF8 VALUE: group name [Linux/BSD only]
- ID: 0x10 TYPE: STR_UTF8 VALUE: resolved absolute base directory path

0x05 — PROCLIST

Returns a snapshot of all running processes.

Input (CONF)

None.

Output (result data bytes)

ID: 0x81 TYPE: PARENT VALUE: result root
- ID: 0x81 TYPE: PARENT VALUE: process entry (one per process)
  - ID: 0x1 TYPE: INT32 VALUE: process ID
  - ID: 0x2 TYPE: STR_UTF8 VALUE: process image name
  - ID: 0x3 TYPE: STR_UTF8 VALUE: owning user (empty if unavailable)
  - ID: 0x4 TYPE: STR_UTF8 VALUE: architecture: "64bit" | "32bit" | "???"
  - ID: 0x5 TYPE: STR_UTF8 VALUE: integrity level: "Low" | "Medium" | "High" | "System" | "" [Windows only]
  - ID: 0x6 TYPE: INT32 VALUE: parent process ID
  - ID: 0x7 TYPE: INT32 VALUE: process creation time
  - ID: 0x8 TYPE: INT32 VALUE: session ID [Windows only]

0x06 — COMMAND_LIST

Lists all command instances currently running in the agent.

Input (CONF)

None.

Output (result data bytes)

ID: 0x81 TYPE: PARENT VALUE: result root
- ID: 0x81 TYPE: PARENT VALUE: job entry (one per running command)
  - ID: 0x1 TYPE: INT32 VALUE: command instance ID
  - ID: 0x2 TYPE: INT32 VALUE: in what process command is executed

0x07 — RUN

Spawns a process and optionally captures its output.

Input (CONF)

ID: 0x1 TYPE: STR_UTF8 required: YES VALUE: Command line to execute (Unicode on Windows, ASCII on Linux/BSD)
ID: 0x2 TYPE: BYTE required: no VALUE: Capture stdout/stderr (default: 1 = yes)
ID: 0x3 TYPE: BLOB required: no VALUE: Data to write to the process's stdin
ID: 0x4 TYPE: STR_UTF8 required: no VALUE: Run as this user (Unicode) [Windows only]
ID: 0x5 TYPE: STR_UTF8 required: no VALUE: Password for the specified user (Unicode) [Windows only]

Output (result data chunks)

Raw stdout/stderr bytes.

0x08 — CHMOD

Changes file/directory permissions. Supports glob patterns.

Platform: Linux / BSD only.

Input (CONF)

ID: 0x1 TYPE: STR_UTF8 required: YES VALUE: File/directory path or glob pattern (ASCII)
ID: 0x2 TYPE: INT32 required: no VALUE: Set permissions to this exact octal value (e.g., 0755)
ID: 0x3 TYPE: INT32 required: no VALUE: OR-add these permission bits
ID: 0x4 TYPE: INT32 required: no VALUE: AND-NOT-remove these permission bits

At least one of ACCESS_FULL (0x2), ACCESS_ADD (0x3), or ACCESS_REMOVE (0x4) should be provided.

Output (result data bytes)

ID: 0x81 TYPE: PARENT VALUE: result root
- ID: 0x1 TYPE: STR_UTF8 VALUE: path that was changed successfully (0..n entries)
- ID: 0x2 TYPE: STR_UTF8 VALUE: path that could not be changed (0..n entries)

0x09 — SHUTDOWN

Initiates a system shutdown or reboot.

Input (CONF)

ID: 0x1 TYPE: INT32 required: no VALUE: 0 = power off (default), 1 = reboot

Output

Success or error only (no result data).

0x41 — BOF

Loads and executes a Beacon Object File (BOF) in-process.

Platform: Windows only.

Input (CONF)

ID: 0x1 TYPE: BLOB required: YES VALUE: Raw COFF/BOF binary
ID: 0x2 TYPE: BLOB required: no VALUE: Packed argument buffer passed to the BOF entry point
ID: 0x3 TYPE: STR_UTF8 required: no VALUE: Export name to call (ASCII, default: "go")
ID: 0x4 TYPE: BYTE required: no VALUE: Run on a designated thread (1) rather than a new thread (0)
ID: 0x5 TYPE: BYTE required: no VALUE: Free BOF memory after execution (1 = yes, default: 0)

Output (result data chunks)

Raw BeaconPrintf/BeaconOutput callback data, streamed as TLV__COMMAND__NEW_RESULT_DATA (0x30) messages.

Special in-band markers for file operations emitted by BOF callbacks:

"<!<!<FILE-FOR-BOF>!>!>S" — file read start
"<!<!<FILE-FOR-BOF>!>!>W" — file write
"<!<!<FILE-FOR-BOF>!>!>C" — file close

BOF error callbacks use callback type 0x0D.

0x42 — TOKEN_STEAL

Duplicates an impersonation token from a target process.

Platform: Windows only.

Input (CONF)

ID: 0x1 TYPE: INT32 required: YES VALUE: Process ID to steal the token from

Output (result data bytes)

Raw UTF-8 string: "<token_nr>: DOMAIN\username\n"

0x43 — TOKEN_USE

Activates a previously stolen or created token for subsequent operations.

Platform: Windows only.

Input (CONF)

ID: 0x1 TYPE: INT32 required: YES VALUE: Token number (from TOKEN_STEAL / TOKEN_MAKE / TOKEN_FROM_HANDLE)

Output

Success or error only (no result data).

0x44 — TOKEN_DELETE

Removes a specific token from the token store.

Platform: Windows only.

Input (CONF)

ID: 0x1 TYPE: INT32 required: YES VALUE: Token number to delete

Output (result data bytes)

ID: 0x81 TYPE: PARENT VALUE: result root
- ID: 0x1 TYPE: STR_UTF8 VALUE: privilege name (0..n, one per available privilege)
- ID: 0x2 TYPE: STR_UTF8 VALUE: privilege name (0..n, one per currently enabled privilege)

0x4A — PRIVILEGE_ENABLE

Enables one or all privileges on the agent process token.

Platform: Windows only.

Input (CONF)

ID: 0x1 TYPE: STR_UTF8 required: YES VALUE: Privilege name (Unicode), e.g., "SeDebugPrivilege". Use "*" to enable all available privileges.

Output (result data bytes)

Same structure as PRIVILEGE_LIST — reflects the updated privilege state.

0x4B — PRIVILEGE_DISABLE

Disables one or all privileges on the agent process token.

Platform: Windows only.

Input (CONF)

ID: 0x1 TYPE: STR_UTF8 required: YES VALUE: Privilege name (Unicode). Use "*" to disable all privileges.

Output (result data bytes)

Same structure as PRIVILEGE_LIST — reflects the updated privilege state.

0x51 — OVERRIDE_ADD

Loads a DLL into the agent process for use as a function override.

Platform: Windows only.

Input (CONF)

ID: 0x1 TYPE: STR_UTF8 required: YES VALUE: Logical name/identifier for the DLL (ASCII)
ID: 0x2 TYPE: BLOB required: YES VALUE: Raw DLL binary

Output (result data bytes)

Raw UTF-8 text: DLL load confirmation with assigned ID and exported function list.

0x52 — OVERRIDE_LIST

Lists all currently loaded override DLLs and their exported functions with addresses.

Platform: Windows only.

Input (CONF)

None.

Output (result data bytes)

Raw UTF-8 text:

#<id> <name> 0x<base_address>
- <export_name> 0x<export_address>

0x53 — OVERRIDE_REMOVE

Unloads and removes one or all override DLLs.

Platform: Windows only.

Input (CONF)

ID: 0x1 TYPE: INT32 required: YES VALUE: DLL ID to remove. Use 0xFFFFFF to remove all.

Output

Success or error only (no result data).

0x54 — OVERRIDE_SET

Binds a loaded override DLL export to a specific override hook point.

Platform: Windows only.

Input (CONF)

ID: 0x1 TYPE: STR_UTF8 required: YES VALUE: Override hook point name (ASCII)
ID: 0x2 TYPE: INT32 required: YES VALUE: ID of the loaded override DLL
ID: 0x3 TYPE: STR_UTF8 required: YES VALUE: Exported function name to bind (ASCII)

Output

Success or error only (no result data).

0x55 — OVERRIDE_UNSET

Removes a binding from an override hook point, restoring default behavior.

Platform: Windows only.

Input (CONF)

ID: 0x1 TYPE: STR_UTF8 required: YES VALUE: Override hook point name to unbind (ASCII)

Output

Success or error only (no result data).