Commercial Plugin Commands
Plugin commands available exclusively in the commercial payload. These add evasion capabilities, in-memory execution, surveillance, and advanced process operations beyond the open-source plugin set.
For execution configuration options (process injection, PPID spoofing, etc.) see Execution Context.
Quick Reference
| Command | OS | Summary |
|---|---|---|
amsi-bypass |
Windows | Disable AMSI in the current process |
dll-proxy |
Windows | Implant a DLL proxy for persistence |
env-var-set |
Win / Linux / BSD | Set an environment variable |
env-var-unset |
Win / Linux / BSD | Delete an environment variable |
keylogger |
Windows | Capture keystrokes with active window tracking |
kill |
Windows | Kill a process by PID |
load-dll |
Windows | Load a DLL into memory and call an exported method |
load-elf |
Linux | Load and execute an ELF binary in memory |
load-pe |
Windows | Load and execute a native EXE in memory |
memory-layout |
Windows | Show the memory layout of a process |
mimikatz |
Windows | Execute Mimikatz commands |
screen-tracker |
Windows | Capture screenshots when the screen changes |
suspend |
Windows | Suspend a process |
webcam |
Windows | Capture an image from a connected webcam |
amsi-bypass
OS Support: Windows (commercial payload only)
Purpose: Disables the Antimalware Scan Interface (AMSI) in the current process, preventing script and assembly content from being scanned by Windows Defender and compatible AV products.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
method |
string | No | CLR_PTR_OVERRIDE |
Bypass method. Options: CLR_PTR_OVERRIDE (overrides the CLR scanning pointer), AMSI_SCAN_BUFFER_PATCH (patches the AmsiScanBuffer function in memory). |
Example:
Tip
Run amsi-bypass before execute-assembly to prevent content-based detection. The bypass only applies within the current agent process - it does not affect commands like powershell that spawn a new process. If one method is detected by EDR, try the other.
env-var-set
OS Support: Windows, Linux, BSD
Purpose: Sets an environment variable at the process level, or at user/machine level on Windows.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
name |
string | Yes | - | Name of the environment variable. |
value |
string | Yes | - | Value to set. |
envVarScope |
string | No | PROCESS |
Scope of the variable. Windows only options: PROCESS, USER, MACHINE. Linux/BSD always uses PROCESS. |
Example:
env-var-unset
OS Support: Windows, Linux, BSD
Purpose: Deletes an environment variable at the process level, or at user/machine level on Windows.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
name |
string | Yes | - | Name of the environment variable to delete. |
envVarScope |
string | No | PROCESS |
Scope of the variable. Windows only options: PROCESS, USER, MACHINE. Linux/BSD always uses PROCESS. |
Example:
keylogger
OS Support: Windows (commercial payload only)
Purpose: Starts a background keylogger that records keystrokes and tracks the active window, sending captured data back to the C2.
Parameters: None (use --execConf to control the host process)
Example:
Info
The keylogger runs as a background job. Use jobs to see its job ID and die to stop it if needed. Active window tracking groups keystrokes by the application in focus at the time they were typed.
kill
OS Support: Windows (commercial payload only)
Purpose: Terminates a process by its PID.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
pid |
int | Yes | - | Process ID of the process to terminate. |
Example:
Privileges required
Killing processes owned by other users requires SeDebugPrivilege. Use privilege-enable first if needed.
load-dll
OS Support: Windows (commercial payload only)
Purpose: Loads a DLL into the agent's memory and executes a specified exported method with given parameters - without writing the DLL to disk.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
@files.dll |
file | No | - | DLL file to load. Mutually exclusive with localDllPath. |
localDllPath |
string | No | - | Local path to the DLL on the target (if already present on disk). |
methodName |
string | Yes | - | Name of the exported method to call. |
parameterTypes |
string | No | - | Type string where each character describes a parameter: s = string, w = UTF-16LE string, i = integer. |
parameterValues |
string[] | No | - | Parameter values matching the types in parameterTypes. |
returnType |
string | No | - | Return type of the method: s = string, w = UTF-16LE string, i = integer. |
Example:
Load a DLL and call RunPayload(string arg1, int timeout):
Info
parameterTypes is a compact string - one character per parameter in order. For example, "si" means the first parameter is a string and the second is an integer.
load-elf
OS Support: Linux (commercial payload only)
Purpose: Loads an ELF executable directly into memory and executes it, without writing it to disk.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
@files.executable |
file | No | - | ELF binary to load. Mutually exclusive with localExecutable. |
localExecutable |
string | No | - | Local path on the target to an already-present ELF binary. |
commandline |
string | No | - | Command-line arguments for the ELF. The first argument is treated as the file path by the OS. |
maxWaitTime |
int | No | - | Maximum seconds to wait for the process to complete before returning. |
stdin |
string[] | No | - | Lines sent to stdin of the process, simulating Enter presses between each. |
Example:
load-pe
OS Support: Windows (commercial payload only)
Purpose: Loads a native Windows EXE into memory and executes it with specified arguments - no disk write required.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
@files.executable |
file | No | - | EXE binary to load. Mutually exclusive with localExecutable. |
localExecutable |
string | No | - | Local path to the EXE on the target. |
commandline |
string | No | - | Command-line arguments for the executable. |
imageName |
string | No | - | Filename to present to the executable if it tries to verify its own path. |
maxWaitTime |
int | No | - | Maximum seconds to wait for the process to complete. |
Example:
Warning
Some executables cause unexpected behaviour when loaded in-process. Test new tools in an isolated lab before running operationally. If the agent becomes unresponsive, restarting it may be necessary.
memory-layout
OS Support: Windows (commercial payload only)
Purpose: Displays the memory layout of a process - regions, permissions, and mapped modules.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
pid |
int | No | Agent's own PID | Process ID to inspect. Defaults to the agent's own process. |
Example:
mimikatz
OS Support: Windows (commercial payload only)
Purpose: Executes one or more Mimikatz commands and returns their output.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
command |
string | Yes | - | One or more Mimikatz commands, space-delimited. |
Example - dump credentials from LSASS:
Example - run multiple commands in one call:
Privileges required
Most sekurlsa:: and lsadump:: modules require SeDebugPrivilege and a high-integrity context. Use privilege-enable --privilege SeDebugPrivilege beforehand if needed.
Tip
Multiple Mimikatz commands can be chained in a single command string (space-delimited), reducing the number of round-trips to the agent and keeping the operation more compact.
screen-tracker
OS Support: Windows (commercial payload only)
Purpose: Periodically captures screenshots, sending a new image only when a specified percentage of the screen has changed - minimising unnecessary data transfer.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
interval |
int | No | 2 |
How often to check for screen changes, in seconds. |
timeout |
int | No | 600 |
Total tracking duration in seconds before the command stops automatically. |
difference |
float | No | - | Percentage of pixels that must change to trigger a screenshot (e.g. 5 = 5%). |
difference_pixels |
int | No | - | Absolute number of pixels that must change to trigger a screenshot. Use this or difference, not both. |
Example:
Info
The first screenshot is taken immediately upon starting. Subsequent screenshots are only sent when the change threshold is met, making this efficient for long-running surveillance. Use jobs to see its job ID and stop it early if needed.
suspend
OS Support: Windows (commercial payload only)
Purpose: Suspends all threads in a target process, effectively freezing it.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
pid |
int | Yes | - | Process ID of the process to suspend. |
Example:
Warning
Suspending critical system processes may cause system instability. Use with care in production environments.
webcam
OS Support: Windows (commercial payload only)
Purpose: Captures a still image from a connected webcam and returns it to the C2.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
deviceNr |
int | No | 0 |
Device index to use when multiple webcams are connected. 0 selects the default device. |
Example: