Execution Context (execConf)

This document explains the execution context for plugin commands. Every command requires a JSON object with at least a template and a configuration. Some commands also need an extra execConf object to specify how they are executed. There are three execution modes:

1. Same Process (Default)

Commands run in the agent's current process. Extra execution settings are ignored.

Parameter:

execType: "SELF"

Example:

{
  "template": "powershell",
  "configuration": {
    "command": "whoami"
  },
  "execConf": {
    "execType": "SELF"
  }
}

2. Spawn a New Process

Execute the command in a new process. You must specify the executable; additional options let you control process suspension or run as a different user.

Parameters:

execType: "NEW"
executable: Executable to run (default: "svchost.exe")
suspended: Whether the new process starts with its main thread suspended (default: true)
username: (Optional) Username for the new process
password: (Optional) Password for the new process
ppid: (Optional) Spoofed parent process ID (default: 0)

Example (default spawn):

{
  "template": "powershell",
  "configuration": {
    "command": "whoami"
  },
  "execConf": {
    "execType": "NEW",
    "executable": "C:\\Windows\\System32\\notepad.exe",
    "suspended": true
  }
}

Example (spawn as a different user):

{
  "template": "powershell",
  "configuration": {
    "command": "whoami"
  },
  "execConf": {
    "execType": "NEW",
    "executable": "C:\\Windows\\System32\\notepad.exe",
    "suspended": false,
    "username": "bob",
    "password": "bob123"
  }
}

3. Inject into an Existing Process

Run the command by injecting shellcode into an already running process. You only need to provide the process ID.

Parameters:

execType: "EXISTING"
pid: Process ID where the command will run

Example:

{
  "template": "powershell",
  "configuration": {
    "command": "whoami"
  },
  "execConf": {
    "execType": "EXISTING",
    "pid": 1234
  }
}