Execution Context aka execConf
As explained here there are three different execution configurations for plugin commands.
General configuration
When executing plugin commands, the user must supply two key values in JSON format: template and configuration. The template specifies the type of command being executed, while configuration details the command's settings. If the execution context requires configuration, an additional execConf value must be included. This value contains a sub-value, execType, which determines the execution context type. There are three possible values for execType:
SELF, indicating the command will execute in the current context;NEW, signifying the creation of a new process for shellcode to be executed;- and
EXISTING, which executes the command within some existing process.
Same process as agent (Default)
No additional configuration needed, extra configuration will just be discarded.
Parameters:
- execType:
SELF
Example with powershell command
Spawn into a new process
User has to set executable that is used. You can also turn of process disabling or add username & password so new process is created as other user
Parameters:
- execType:
NEW - executable: What executable is used, defaults to
svchost.exe - suspended: Is process main thread suspended, defaults to
true - username: Username that is used for new process creation, defaults to
null - password: Password that is used for new process creation, defaults to
null - ppid: Spoofed parent process PID, defaults to
0, behaves asfalse
Example with powershell command
Example with powershell command (as user bob)
Inject into an existing process
User has to set process ID (PID) that is used. You can also turn of process disabling or add username & password so new process is created as other user
Parameters:
- execType:
EXISTING - pid: Process ID of the process that the command shellcode is injected