Plugin commands
List on default plugin commands, their configuration and examples.
Command names vs ID(GUID) values
Tuoni supports multiple commands sharing the same name. Ideally, this occurs only when these commands pertain to different types of agents, though this is not strictly enforceable. Therefore, all commands provided by plugins are also assigned unique ID values (GUID type).
When querying the API for all available command plugins/templates, a list of plugins and their respective commands is returned. Each command in this list includes both a name and a unique ID. While command names may not be unique, their ID values always are.
To avoid confusion, the list of available commands returned by agent API requests includes command IDs instead of names. This ensures clarity and prevents any potential ambiguity.
Commands templates
For example, in this environment, the command "powershell" has the ID value fc44c562-a9a6-44b6-b9b4-4f91c4fca8af.
List of agents
The command ID value fc44c562-a9a6-44b6-b9b4-4f91c4fca8af is also present in the availableCommandTemplates list, indicating that this command is available for this agent.
Using name/ID
The Tuoni server accepts both the command name and ID in the "template" field when sending a command. If a name is used, the server attempts to determine the correct command. In most cases, there should be no conflict, and names can be used reliably, although this is not guaranteed. In the current examples, we continue to use the name value for the sake of readability.
connect-smb
Used along with "Relay Agent Bind SMB" listener. The agent created using that listener, will expect a connection from parent agent that can be triggered using this command.
Parameters:
- host: IP or domain name to use to connect to the SMB agent
- pipename: SMB pipe name to use to connect to the SMB agent
connect-tcp
Used along with "Relay Agent Bind TCP listener" listener. The agent created using that listener, will expect a connection from parent agent that can be triggered using this command.
Parameters:
- host: IP or domain to connect to TCP-BIND agent
- port: TCP port number to connect to TCP-BIND agent
Example(POST content)
execute-assembly
Executes .NET executable in memory
Parameters:
- executable: .NET executable file content (if provided via API, have to be base64 encoded)
- parameters: Parameters to be provided to .NET as command line arguments
Example(POST content)
fs-delete
This command deletes file in agent filesystem
Parameters:
- filepath: Path of the file to delete (environment variables are supported)
Example(POST content)
fs-read
This command reads and returns file from agent filesystem
Parameters:
- filepath: Path of the file to read (environment variables are supported)
Example(POST content)
fs-write
This command reads and returns file from agent filesystem
Parameters:
- filepath: Path of the file being written (environment variables are supported)
- data: Content of the file (if provided via API, have to be base64 encoded)
Example(POST content)
inject
Injects and executes shellcode
Parameters:
- shellcode: shellcode to execute (if provided via API, have to be base64 encoded)
Example(POST content)
jump-service
Command for latteral movement. You can copy file to target machine over SMB and then create & start service pointing to that or any other executable
Parameters:
- payloadId: Payload used in jump - should be service exe
- copyMethod: What method to use for copying payload (SMB, NONE)
- copyPath: Where to copy file in target machine
- target: Target machine ip/name
- servicePath: Path of the created service
- serviceName: Name of the created service
- serviceDisplayName: Display name of the created service
- username: Username to use for copy and jump (if needed)
- password: Password to use for copy and jump (if needed)
Example(POST content)
jump-ssh
Command for latteral movement. You can copy file to target machine over SMB and then run it or any command over SSH
Parameters:
- payloadId: Payload used in jump - should be executable exe
- copyMethod: What method to use for copying payload (SMB, NONE)
- copyPath: Where to copy file in target machine
- target: Target machine ip/name
- cmdline: Command line to run on target machine
- username: Username to use for copy and jump
- password: Password to use for copy and jump
- privateKeyPassword: Password of the private key file
Example(POST content)
jump-winrm
Command for latteral movement. You can copy file to target machine over SMB and then run it or any powershell command over Windows Remote Management
Parameters:
- payloadId: Payload used in jump - should be executable exe
- copyMethod: What method to use for copying payload (SMB, NONE)
- copyPath: Where to copy file in target machine
- target: Target machine ip/name
- executablePath: Path of the executable to run
- customPowershell: Custom powershell to run
- username: Username to use for copy and jump (if needed)
- password: Password to use for copy and jump (if needed)
Example(POST content)
jump-wmi
Command for latteral movement. You can copy file to target machine over SMB and then run it or any command over Windows Management Instrumentation
Parameters:
- payloadId: Payload used in jump - should be executable exe
- copyMethod: What method to use for copying payload (SMB, NONE)
- copyPath: Where to copy file in target machine
- target: Target machine ip/name
- cmdline: Command line to run on target machine
- username: Username to use for copy and jump (if needed)
- password: Password to use for copy and jump (if needed)
Example(POST content)
procinfo
Returns additional information about agent's process
Parameters: None
Example(POST content)
screenshot
Makes screenshot on target machine and returns the picture
Parameters: None
Example(POST content)
socks5
Creates SOCKS5 proxy into agent network
Parameters:
- port: Port that is opened by C2 for user to use as socks5 proxy
Example(POST content)
spawn
Spawns new agent
Parameters:
- listenerId: What listener the agent will connect
- payloadType: Type of the payload
- encryptedCommunication: Should communication be encrypted