Skip to content

Execution Context aka execConf

As explained here there are three different execution configurations for plugin commands.

General configuration

When executing plugin commands, the user must supply two key values in JSON format: template and configuration. The template specifies the type of command being executed, while configuration details the command's settings. If the execution context requires configuration, an additional execConf value must be included. This value contains a sub-value, execType, which determines the execution context type. There are three possible values for execType:

  • SELF, indicating the command will execute in the current context;
  • NEW, signifying the creation of a new process for shellcode to be executed;
  • and EXISTING, which executes the command within some existing process.

Same process as agent (Default)

No additional configuration needed, extra configuration will just be discarded.

Parameters:

  • execType: SELF

Example with powershell command

1
2
3
4
5
6
7
8
9
{
  "template": "powershell",
  "configuration": {
    "command": "whoami"
  },
  "execConf": {
    "execType": "SELF"
  }
}

Spawn into a new process

User has to set executable that is used. You can also turn of process disabling or add username & password so new process is created as other user

Parameters:

  • execType: NEW
  • executable: What executable is used, defaults to svchost.exe
  • suspended: Is process main thread suspended, defaults to true
  • username: Username that is used for new process creation, defaults to null
  • password: Password that is used for new process creation, defaults to null
  • ppid: Spoofed parent process PID, defaults to 0, behaves as false

Example with powershell command

{
  "template": "powershell",
  "configuration": {
    "command": "whoami"
  },
  "execConf": {
    "execType": "NEW",
    "executable": "C:\\Windows\\System32\\notepad.exe",
    "suspended": true
  }
}

Example with powershell command (as user bob)

{
  "template": "powershell",
  "configuration": {
    "command": "whoami"
  },
  "execConf": {
    "execType": "NEW",
    "executable": "C:\\Windows\\System32\\notepad.exe",
    "suspended": false,
    "username": "bob",
    "password": "bob123"
  }
}

Inject into an existing process

User has to set process ID (PID) that is used. You can also turn of process disabling or add username & password so new process is created as other user

Parameters:

  • execType: EXISTING
  • pid: Process ID of the process that the command shellcode is injected

Example with powershell command

{
  "template": "powershell",
  "configuration": {
    "command": "whoami"
  },
  "execConf": {
    "execType": "EXISTING",
    "pid": 1234
  }
}