Skip to content

Native commands

List on native commands, their configuration and examples.

bof

This command executes bof (Beacon Object Files) file and returns output.

Internal type: 0x41

Parameters:

  • bofFile: BOF file to execute in base64 encoding
  • method: What method to execute (usually "go")
  • inputArgs: Command line arguments for bof
  • inputArgsEncoding: In what encoding the command line arguments should be provided to the bof (UTF8 or UTF16LE)
  • inputAsBytes: If input for bof is binary, then it has to be provided by this parameter (if provided, the inputArgs and inputArgsEncoding parameters are ignored)
  • pack_format: Argument packing format(s) for the BOF
  • pack_args: Array of arguments to pack for the BOF

Example(POST content)

Contains BOF doing 'whoami' and only works inside x64 process because... well.... it's x64 BOF

1
2
3
4
5
6
7
{
  "template": "bof",
  "configuration": {
    "bofFile": "__BOF_FILE_IN_BASE64__",
    "method": "go"
  }
}

cd

This command changes the agent working directory.

Internal type: 0x3

Parameters:

  • dir: What directory to move - relative(based on agent current one) or absolute

Example(POST content)

1
2
3
4
5
6
{
  "template": "cd",
  "configuration": {
    "dir": "..\\"
  }
}

connection-conf

This command changes configuration of the listener shellcode running in the agent. For example if you want to change the sleep time.

Internal type: 0x2

Parameters:

  • listenerPluginId: ID of the listener that's shellcode in the agent is being changed
  • listenerId: ID of the listener shellcode INSIDE agent (for now it's always 1)
  • listenerConfiguration: Configuration of the changes to be made

Example(POST content)

{
  "template": "connection-conf",
  "configuration": {
    "listenerPluginId": "shelldot.listener.agent-reverse-http",
    "listenerId": 1,
    "listenerConfiguration": {
      "sleep": 60000,
      "sleepRandom": 15000
    }
  }
}

cmd

Executes given command by cmd.exe

Parameters:

  • command: Command that is executed by cmd.exe
  • stdin: Array of strings written into stdin of the process - separated by "enter"-s
  • outputEncoding: Encoding used to decode output

Example(POST content)

1
2
3
4
5
6
{
  "template": "cmd",
  "configuration": {
    "command": "dir"
  }
}

run

Run an executable on the agent system, provide it arguments and/or stdin input and read output.

Parameters:

  • cmdline: Program name with command line arguments
  • output: Is output(stdout & stderr) sent back to C2
  • stdin: Array of strings written into stdin of the process - separated by "enter"-s
  • unicode: Is stdin written in UTF-16 encoding (default is false)
  • outputEncoding: Encoding used to decode output

Example(POST content)

1
2
3
4
5
6
{
  "template": "run",
  "configuration": {
    "cmdline": "rundll32 payload.dll,bob"
  }
}

jobs

List of commands running in the agent

Internal type: 0x2

Parameters: None

Example(POST content)

1
2
3
4
{
  "template": "jobs",
  "configuration": {}
}

powershell

Executes given command by powershell

Parameters:

  • command: Command that is executed by powershell
  • stdin: Array of strings written into stdin of the process - separated by "enter"-s
  • outputEncoding: Encoding used to decode output

Example(POST content)

1
2
3
4
5
6
{
  "template": "powershell",
  "configuration": {
    "command": "ls"
  }
}

ps

List of processes running on system

Internal type: 0x5

Parameters: None

Example(POST content)

1
2
3
4
{
  "template": "ps",
  "configuration": {}
}

die

This command kills the agent that this command is sent.

Internal type: 0x1

Parameters: None

Example(POST content)

1
2
3
4
{
  "template": "die",
  "configuration": {}
}

ls

This command returns directory content info with given recursive depth.

Internal type: 0x4

Parameters:

  • dir: What directory to list
  • depth: How deep to list

Example(POST content)

1
2
3
4
5
6
7
{
  "template": "ls",
  "configuration": {
    "dir": "c:\\",
    "depth": 2
  }
}

token-add

This command tries to steal token from existing process and store it.

Internal type: 0x42

Parameters:

  • pid: From what process to take token

Example(POST content)

1
2
3
4
5
6
{
  "template": "token-add",
  "configuration": {
    "pid": 1234
  }
}

token-make

This command tries to create token by using username and password.

Internal type: 0x47

Parameters:

  • username: Username to use
  • password: Password to use

Example(POST content)

1
2
3
4
5
6
7
{
  "template": "token-make",
  "configuration": {
    "username": "bob",
    "password": "bob123"
  }
}

token-list

This command returns list of tokens (number and username relating to it)

Internal type: 0x46

Parameters: None

Example(POST content)

1
2
3
4
{
  "template": "token-list",
  "configuration": {}
}

token-use

This command makes agent use the selected token for all commands possible

Internal type: 0x43

Parameters:

  • nr: Number of the token to use

Example(POST content)

1
2
3
4
5
6
{
  "template": "token-use",
  "configuration": {
    "nr": 1
  }
}

token-del

This command will delete a single token

Internal type: 0x44

Parameters:

  • nr: Number of the token to delete

Example(POST content)

1
2
3
4
5
6
{
  "template": "token-del",
  "configuration": {
    "nr": 1
  }
}

token-del-all

This command will delete all the tokens

Internal type: 0x45

Parameters: None

Example(POST content)

1
2
3
4
{
  "template": "token-del-all",
  "configuration": {}
}