Default Payloads
The default payload plugin provides core payload generation for Windows agents, supporting both x64 and x86 architectures. All common payload types are available - executable, DLL, service, shellcode, and debug executable.
Plugin ID: shelldot.payload.default
Template ID (x64): shelldot.payload.windows-x64
Template ID (x86): shelldot.payload.windows-x86
Supported types: DEBUG_EXECUTABLE, EXECUTABLE, SERVICE, DLL, SHELLCODE
Configuration
Use the table below to customize how the Default Payload behaves.
| Attribute | Explanation |
|---|---|
| type | The payload type. Options: DEBUG_EXECUTABLE, EXECUTABLE, SERVICE, DLL, SHELLCODE. |
| paddingSize | Number of bytes of NULL-padding appended to the payload. Useful for inflating file size to bypass size-based heuristics. |
| initialWait | Seconds to wait after startup before launching the main payload code. |
| dllMethodName | The exported method name used by DLL-type payloads. |
| mutex | A string-based mutex that prevents the payload from launching multiple concurrent instances with the same mutex value on the same machine. |
| guardrails[ ] | Conditions that must be met before the payload starts execution. |
| ↳ type | Guardrail type. Options: DomainExists, DomainNotExists, TimeBefore, TimeAfter. |
| ↳ value | Value for the guardrail. For DomainExists/DomainNotExists: a hostname. For TimeBefore/TimeAfter: an ISO-8601 timestamp. |
Example Configurations
Scenario 1: Basic executable with delayed start
Generates a padded x64 executable that waits 60 seconds before starting. The 1 MB padding can help bypass size-based heuristics.
Scenario 2: DLL payload
Generates an x86 DLL payload that activates when start_func is called.
Scenario 3: Domain-locked payload with guardrails
Generates x64 shellcode that only executes if internal.corp.local resolves and the current time is before the specified deadline.