Execution Context (execConf)
This document explains the execution context for plugin commands. Every command requires a JSON object with at least a template and a configuration. Some commands also need an extra execConf object to specify how they are executed. The same object can optionally request a specific ExecUnit format with execUnitType. There are three execution modes:
1. Same Process (Default)
Commands run in the agent's current process. Extra execution settings are ignored.
Parameter:
- execType: "SELF"
- execUnitType: (Optional) Requested ExecUnit format
Example:
2. Spawn a New Process
Execute the command in a new process. You must specify the executable; additional options let you control process suspension or run as a different user.
Parameters:
- execType: "NEW"
- executable: Executable to run (default: "svchost.exe")
- suspended: Whether the new process starts with its main thread suspended (default: true)
- username: (Optional) Username for the new process
- password: (Optional) Password for the new process
- ppid: (Optional) Spoofed parent process ID (default: 0)
- execUnitType: (Optional) Requested ExecUnit format
Example (default spawn):
Example (spawn as a different user):
3. Inject into an Existing Process
Run the command by injecting the ExecUnit into an already running process. You only need to provide the process ID.
Parameters:
- execType: "EXISTING"
- pid: Process ID where the command will run
- execUnitType: (Optional) Requested ExecUnit format
Example:
ExecUnit Format Selection
Accepted execUnitType values are SHELLCODE_NATIVE, DOTNET_EXE, DOTNET_DLL, and NATIVE_LIB. If omitted, the C2 selects the first compatible format from the command's supported formats and the agent's advertised preferences.