Linux payload
Native Linux agent for the commercial tier. Supports core agent commands plus Linux-specific operations like sh, chmod, and in-memory ELF execution via load-elf.
Plugin ID: shelldot.payload.linux
Template ID (x64): shelldot.payload.linux-x64
Supported types: DEBUG_EXECUTABLE, EXECUTABLE, LIBRARY
Info
Currently limited to x64 systems. Does not include advanced shellcode features. Compatibility issues may occur on significantly older systems or distributions not based on Debian.
Configuration
| Attribute | Explanation |
|---|---|
| type | The payload type. Options: DEBUG_EXECUTABLE, EXECUTABLE, LIBRARY. |
| initialWait | Seconds to wait after startup before launching the main payload code. |
| paddingSize | Number of bytes of NULL-padding appended to the payload. Useful for inflating file size to bypass size-based heuristics. |
| disableMemFd | When true, the agent executes plugin code using temporary files instead of memfd_create. This can help evade detection by certain EDR solutions that monitor memfd usage. |
| pluginLoadingDirectory | Directory used for temporary files when disableMemFd is enabled. Falls back to /tmp, then to the directory containing the agent executable if the specified path is unavailable. |
| mutex | A string-based mutex that prevents the payload from launching multiple concurrent instances with the same mutex value on the same machine. |
| autoDestructDate | ISO-8601 timestamp after which the agent will terminate itself automatically. |
Tip
If operating on a system where /tmp is mounted with noexec, set pluginLoadingDirectory to a writable, executable path (e.g. the agent's own directory) and enable disableMemFd to ensure plugins can still be loaded.