Skip to content

Native Commands

This section lists the native commands available, their parameters, and usage examples.

bof

Execute a BOF (Beacon Object File) and return its output.

Parameters:

  • bofFile: The BOF file to run.
  • method: Execution method (usually "go").
  • inputArgs: Command-line arguments for the BOF in case on simple string input only.
  • inputArgsEncoding: Encoding for the arguments (UTF8 or UTF16LE).
  • inputAsBytes: Use binary input (overrides inputArgs if provided).
  • pack_format: Format to pack the arguments.
  • pack_args: List of arguments to be packed.
  • designated_thread: By default, each BOF runs in its own thread. If this option is set to true, the BOF will instead run on a shared thread with all other BOFs that also have this option set to true.
  • keep_in_memory: By default, a loaded BOF is removed from memory once execution finishes. If this option is set to true, the BOF stays in memory and will be reused on subsequent executions instead of being reloaded.

Additional notes about about designated_thread & keep_in_memory parameters: * Why designated_thread exists: It’s meant for cases where a BOF needs to be re-run on the same OS thread because certain OS features are thread-bound. A common example is Win32 window/message handling, where doing follow-up work on a different thread can break things.
What happens if two BOFs both use designated_thread = true at the same time: They won’t actually run concurrently. One BOF runs first, and the other starts only after the first one finishes and returns a result. The execution order is usually based on command ID (lower ID first), but it’s not strictly guaranteed.
 What keep_in_memory = true changes: When a BOF is kept in memory and then re-run, its read/write data sections are not reset to their initial state. In other words, it retains state between runs. Whether a BOF is considered “the same one” for reuse is determined by its hash.
Relationship between designated_thread and keep_in_memory:* There isn’t one. You can set them independently in any combination or order. They don’t imply or control each other.

Example: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
--boundary
Content-Disposition: form-data; name="requestBody"
Content-Type: application/json; charset=UTF-8
{
  "template": "bof",
  "configuration": {
    "method": "go"
  }
}

--boundary
Content-Disposition: form-data; name="bofFile"; filename="bof.o"

__BOF_FILE__

cd

Change the agent's working directory.

Parameter:

  • dir: Directory to change to (relative or absolute).

Example: 

1
2
3
4
5
6
{
  "template": "cd",
  "configuration": {
    "dir": "..\\"
  }
}

cmd

Run a command using cmd.exe.

Parameters:

  • command: Command text to execute.
  • stdin: List of input strings (simulate pressing Enter between commands).
  • outputEncoding: Encoding used for reading output.

Example: 

1
2
3
4
5
6
{
  "template": "cmd",
  "configuration": {
    "command": "dir"
  }
}

die

Terminate the agent.

Example: 

1
2
3
4
{
  "template": "die",
  "configuration": {}
}

jobs

List currently running commands on the agent.

Example: 

1
2
3
4
{
  "template": "jobs",
  "configuration": {}
}

ls

List directory contents with a specified recursion depth.

Parameters:

  • dir: Directory to list.
  • depth: Number of subdirectory levels to include.

Example: 

1
2
3
4
5
6
7
{
  "template": "ls",
  "configuration": {
    "dir": "c:\\",
    "depth": 2
  }
}

ps

List processes running on the system.

Example: 

1
2
3
4
{
  "template": "ps",
  "configuration": {}
}

powershell

Execute a command using PowerShell.

Parameters:

  • command: PowerShell command to execute.
  • stdin: List of input lines for the command(simulated enter presses between).
  • outputEncoding: Encoding for the output.

Example: 

1
2
3
4
5
6
{
  "template": "powershell",
  "configuration": {
    "command": "ls"
  }
}

run

Execute an external program on the agent with optional arguments or input.

Parameters:

  • cmdline: The program and its command-line arguments.
  • output: Indicates whether stdout and stderr should be returned.
  • stdin: List of input lines (simulated enter presses between).
  • unicode: True if the input should be UTF-16 (default is false)[only Windows].
  • outputEncoding: Encoding used for the program's output[only Windows].

Example: 

1
2
3
4
5
6
{
  "template": "run",
  "configuration": {
    "cmdline": "rundll32 payload.dll,bob"
  }
}

run-as

Run executable in the target system as some other user (username & password needed).

Parameters:

  • cmdline: The program and its command-line arguments.
  • username: Username that is used to execute executable.
  • password: Password that is used to execute executable.
  • output: Indicates whether stdout and stderr should be returned.
  • stdin: List of input lines (simulated enter presses between).
  • unicode: True if the input should be UTF-16 (default is false)[only Windows].
  • outputEncoding: Encoding used for the program's output[only Windows].

Example: 

1
2
3
4
5
6
7
8
{
  "template": "run-as",
  "configuration": {
    "cmdline": "rundll32 payload.dll,bob",
    "username": "myuser",
    "password": "mypassword"
  }
}

shutdown

Shutdown or reboot the machine.

Parameters:

  • reboot: Reboot instead of shutdown.

Example: 

1
2
3
4
5
6
{
  "template": "shutdown",
  "configuration": {
    "reboot": true
  }
}

sleep

Adjust the agent’s sleep duration for HTTP/HTTPS communication.

Parameters:

  • sleep: Base sleep time in seconds.
  • sleepRandom: Amount of random variation in sleep time.

Example: 

1
2
3
4
5
6
7
{
  "template": "sleep",
  "configuration": {
    "sleep": 60,
    "sleepRandom": 15
  }
}

sleep-until

Set a specific wake-up time for the agent.

Parameter:

  • sleepEnds: ISO-formatted date (Zulu time) or a UNIX timestamp in seconds.

Example: 

1
2
3
4
5
6
{
  "template": "sleep-until",
  "configuration": {
    "sleepEnds": "2025-12-31T23:59:59Z"
  }
}

token-del

Delete a specific token.

Parameter:

  • nr: The token number to delete.

Example: 

1
2
3
4
5
6
{
  "template": "token-del",
  "configuration": {
    "nr": 1
  }
}

token-del-all

Delete all tokens.

Example: 

1
2
3
4
{
  "template": "token-del-all",
  "configuration": {}
}

token-list

List all available tokens along with related details.

Example: 

1
2
3
4
{
  "template": "token-list",
  "configuration": {}
}

token-make

Create a token using provided credentials.

Parameters:

  • username: Username for token creation.
  • password: Password for token creation.
  • netonly: Whether the token is created as a netonly type

Example: 

1
2
3
4
5
6
7
8
{
  "template": "token-make",
  "configuration": {
    "username": "bob",
    "password": "bob123",
    "netonly": false
  }
}

token-from-handle

Purpose: Add new token from existing token handle, created via BOF or something similar.
OS Support: Windows
Parameters:

  • handle: Number of the handle to use as token.

Example: 

1
2
3
4
5
6
{
  "template": "token-from-handle",
  "configuration": {
    "handle": 7
  }
}

token-use

Select a token for use with subsequent commands.

Parameter:

  • nr: Token number to use (0 resets to the default).

Example: 

1
2
3
4
5
6
{
  "template": "token-use",
  "configuration": {
    "nr": 1
  }
}

token-steal

Extract a token from a running process.

Parameter:

  • pid: Process ID from which to steal the token.

Example: 

1
2
3
4
5
6
{
  "template": "token-add",
  "configuration": {
    "pid": 1234
  }
}