Commercial Tier
The commercial tier extends Tuoni with advanced evasion, cross-platform agents, and capabilities built for professional red team engagements. Everything in the open-source release is included - the commercial tier adds on top of it.
Payloads
Three additional agent types beyond the default Windows payload:
| Payload | Platform | Details |
|---|---|---|
| Commercial payload | Windows | Full-featured Windows agent with all commercial commands enabled |
| Linux payload | Linux | Native Linux agent with sh, chmod, load-elf, and more |
| BSD payload | BSD | Native BSD agent with the same Linux feature set |
Listeners
| Listener | Details |
|---|---|
| DNS listener | C2 communication tunnelled over DNS - ideal for bypassing egress filtering |
Evasion
Capabilities designed to reduce the operational footprint and bypass defensive tooling.
amsi-bypass - Disables AMSI in the current process before running scripts or assemblies.
load-pe - Executes a native Windows EXE entirely in memory, no disk write required. Supports image name spoofing.
load-dll - Loads and calls into a DLL in memory, with full parameter and return type support.
load-elf - Linux equivalent of load-pe - in-memory ELF execution without touching disk.
DLL Override System - Replace core agent functionality (HTTP transport, sleep logic, etc.) at runtime using custom DLLs. Enables per-engagement customisation of agent internals.
Privilege Operations
Fine-grained control over the Windows token privilege set.
privilege-list - Inspect all privileges in the current process token.
privilege-enable - Activate a specific privilege (e.g. SeDebugPrivilege, SeImpersonatePrivilege).
privilege-disable - Suppress a privilege to reduce the process's apparent capabilities.
Post-Exploitation
Additional commands for deeper access and data collection.
mimikatz - Execute Mimikatz commands directly from the agent. Supports chaining multiple commands in a single call.
keylogger - Background keylogger with active window tracking. Groups captured keystrokes by the application in focus.
screen-tracker - Continuous screenshot capture that only sends images when the screen content changes by a configured threshold.
webcam - Capture a still image from a connected webcam.
memory-layout - Inspect the full memory map of any process.
Process Control
kill - Terminate a process by PID.
suspend - Freeze all threads in a process.
Linux / BSD
The following commands are available on Linux and BSD commercial agents:
sh - Execute shell commands via sh, with stdin support.
chmod - Change file and directory permissions using symbolic or octal notation.
load-elf - Load and execute ELF binaries in memory.