Link to view outside Obsidian:
Transclude of NightHawk-Help-Text.txt
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| sleep | Parameters: <time> - Sleep time in seconds. |
| | [<jitter>] - Jitter as a percentage of the sleep time. |
| | |
| | Changes the check-in time for the associated agent to the specified number of seconds. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| get-drives | |
| | Displays a summary of the drives configured on the remote machine. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| exec | Parameters: [--token=<handle>] - Optional token handle value to use. |
| | [--visible] - Displays the application on the associated user desktop. |
| | [--capture-output] - Waits for and captures process console output. |
| | [--expand-vars] - Expands environment variables. |
| | <executable path> - Path to executable to run. |
| | [<arg 1> <arg 2> ... <arg n>] - Optional list of command line arguments to pass to created process. |
| | |
| | Performs execution of the specified executable, passing the associated command line arguments. The process will be executed using the identity of |
| | the agent. Console output is captured and displayed. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| shell | Parameters: [--token=<handle>] - Optional token handle value to use. |
| | [--visible] - Displays the application on the associated user desktop. |
| | [--capture-output] - Waits for and captures process console output. |
| | <command> - Command to be executed. |
| | |
| | Performs shell command execution using the command interpreter %comspec% (usually cmd.exe) as configured on the remote machine. The command will b |
| | e executed using the identity of the agent. Console output is captured and displayed. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| ls | Parameters: [<path>] - Remote path for directory listing. |
| | |
| | Displays a directory listing of either the current directory or of the path if specified. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| link | Parameters: <uri> - URI of agent to link. |
| | |
| | The link command establishes a P2P connection to a listening agent using the URI provided. The URI can either take the form 'tcp://<host>/<port>' |
| | or 'smb://<host>/<pipe name>', or a custom URI format if custom P2P strategies have been provisioned. |
| | Multiple agents can listen in P2P mode on the same port and same pipe name. In this situation to link each of the listening agents sharing a P2P e |
| | ndpoint it is necessary to execute the link command multiple times to connect to each agent one at a time until all are connected. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| file-info | Parameters: <file> - Remote file path. |
| | |
| | Displays basic file information pertaining to the specified file, including size, creation time, last access tile, and last write time. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| upload | Parameters: <local path> - Local file path. |
| | [<remote path>] - Remote file path. |
| | |
| | Uploads a local file to the specified location on the remote host. The entire file is uploaded in one request so this command is not ideal for ver |
| | y large files. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| inproc-execute-assembly | Parameters: [--default-appdomain] - Use the default appdomain. |
| | [--appdomain=<name>] - Use specified appdomain. |
| | [--no-amsi-patch] - Do not patch AMSI. |
| | [--no-etw-patch] - Do not patch ETW. |
| | [--no-restore-control] - Do not restore the NtTraceControl() patch. |
| | [--no-prevent-exit] - Do not prevent Environment.Exit. |
| | [--realtime-output] - Send console output in real-time (rather than on exit). |
| | [--pid=<process ID>] - The process ID to inject the assembly into. |
| | [--credentials=<[domain\]username:password]>] - The the user identity to execute the assembly under if injected. |
| | <path to assembly> - Local path to .NET assembly to execute. |
| | [<arg 1> <arg 2> ... <arg n>] - Optional list of arguments to pass to the entrypoint of the assembly as a CLR string[] array. |
| | |
| | |
| | This command executes a .NET assembly with optional arguments. The assembly is executed within the agent process by default. If the optional --pid |
| | argument is supplied then instead of executing a .NET assembly directory within the agent a reflective DLL is constructed and sent to the agent f |
| | or injection into the specified process. The reflective DLL embeds the .NET assembly and optional arguments. |
| | |
| | If the injection approach is used then the --credentials parameters may be used to specify impersonation prior to execution. If --pid is not suppl |
| | ied then the assembly is executed in the context of the agent using the credentials currently being impersonated, so the --credentials parameter i |
| | s not required. |
| | The output from assembly execution is captured either directly within the agent process or via a named pipe with a random name under the injection |
| | approach. |
| | The --realtime-output option does not work with injected assemblies. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| cd | Parameters: <new path> - New relative or absolute path on remote filesystem. |
| | |
| | Changes the working directory to the specified path. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| pwd | |
| | Prints current working directory on remote host. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| whoami | |
| | Displays the currently logged on user identity. If the agent is actively impersonating this will display the impersonated user identity. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| revert | |
| | Restores original agent process user identity after impersonation. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| impersonate | Parameters: [--network] - Network logon rather than interactive logon. |
| | <[domain\]username> - Username with optional domain prefix to impersonate. |
| | <password> - Corresponding password for username. |
| | |
| | Impersonates the specified user by calling LogonUser(). If the --network flag is passed as the first argument then the logon type is LOGON32_LOGON |
| | _NEW_CREDENTIALS instead of LOGON32_LOGON_INTERACTIVE. Passing --network will result in the impersonated user token being used for network operati |
| | on such as interacting with network shares however the agent user identify will remain unchanged. If --network is omitted then the impersonated us |
| | er identity will be logged on interactively and agent commands will execute as that user until reverted. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| runas | Parameters: [--visible] - Displays the application on the associated user desktop. |
| | [--capture-output] - Waits for and captures process console output. |
| | [--expand-vars] - Expands environment variables. |
| | <[domain\]username> - Username with optional domain prefix to execute command as. |
| | <password> - Corresponding password for username. |
| | <executable path> - Path to executable to run. |
| | [<arg 1> <arg 2> ... <arg n>] - Optional list of command line arguments to pass to created process. |
| | |
| | Performs execution of the specified executable, passing the associated command line arguments. The process will be executed using the identity pro |
| | vided. If a domain prefix is provided with the username the process executes as the agent user process however network operations are performed un |
| | der the identity of the specified user. Console output is captured and displayed. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| shellas | Parameters: [--visible] - Displays the application on the associated user desktop. |
| | [--capture-output] - Waits for and captures process console output. |
| | <[domain\]username> - Username with optional domain prefix to execute command as. |
| | <password> - Corresponding password for username. |
| | <command> - Command to be executed. |
| | |
| | Performs shell command execution using the command interpreter %comspec% (usually cmd.exe) as configured on the remote machine. The command will b |
| | e executed using the identity provided. If a domain prefix is provided with the username the command executes as the agent user process however ne |
| | twork operations are performed under the identity of the specified user. Console output is captured and displayed. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| inject-rdll | Parameters: <path> - Local path to reflective DLL to inject. |
| | <process ID> - Remote target process ID for injection. |
| | <export> - Name of the reflective loader DLL export. |
| | |
| | Injects a reflective DLL into the remote process. The <export> parameter specifies the name (or partial name) of the export which performs the ref |
| | lective loading. In a typical reflective DLL this is 'ReflectiveLoader'. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| spawn-rdll | Parameters: <path> - Local path to reflective DLL to inject. |
| | <export> - Name of the reflective loader DLL export. |
| | [--process-path=<path>] - Path to remote process to spawn. |
| | [--parent=<ppid|process name>] - Parent process name or ID. |
| | [--cmdline=<cmd line>] - Command line for remote process. |
| | |
| | Spawns a new process with optional parent process configured and injects a reflective DLL. If no process path is specified the default 'spawn-to' |
| | path is used. If no parent process is specified the default 'parent-process' name is used. The <export> parameter specifies the name (or partial n |
| | ame) of the export which performs the reflective loading. In a typical reflective DLL this is 'ReflectiveLoader'. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| socks-list | |
| | Shows active SOCKS listeners and associated thread/connection details. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| socks-create | Parameters: <port> - Local port to create proxy on. |
| | Creates a SOCKS 4a proxy on specified port. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| socks-stop | |
| | Shuts down all listening SOCKS proxies for this specific client. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| get-download-dir | |
| | Displays the current downloads folder. By default this is the user 'Downloads' folder on Windows or '/tmp' on Linux. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| set-download-chunksize | Parameters: <chunk-size> - Download chunk size in bytes. |
| | |
| | Sets the chunk size to use when downloading files from remote host. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| download | Parameters: <remote path> - Remote file path. |
| | [<local path>] - Local file path. |
| | |
| | Downloads a remote file to the specified location on the local host. The download is performed in chunks of size configured by 'set-download-chunk |
| | size' (default 1MB). The agent send a new file chunk once per check-in. As a result of this the download process will be slow if the sleep value i |
| | s high and faster if the sleep value is low. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| cancel-download | Parameters: <file-transfer-id> - ID of file tranfer to cancel. |
| | Cancels an in-progress download. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| list-downloads | |
| | Lists downloads and their statuses. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| preview | Parameters: <file> - Path of file to preview. |
| | [<size>] - Size of data to print in bytes. |
| | |
| | Prints the first 8KB (or specified amount) of a file. If the data contains printable ASCII characters then the preview is printed in plain text, o |
| | therwise a hex dump is displayed. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| rm | Parameters: <file> - Remote filename. |
| | |
| | Deletes a file from the remote filesystem. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| cp | Parameters: <existing file> - Name of remote file to copy. |
| | <target file> - Target path. |
| | |
| | Copies a file on the remote filesystem. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| rn | Parameters: <original file> - Name of remote file to rename. |
| | <new name> - New filename. |
| | |
| | Renames a file on the remote filesystem. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| ps | Parameters: [--injectable] - Display only injectable processes (opens a handle with PROCESS_ALL_ACCESS rights) |
| | [--detailed-info] - Displayed detailed information (opens a handle with PROCESS_QUERY_LIMITED_INFORMATION rights) |
| | [--skip-processes=<process1.exe,process2.exe,...>] |
| | Displays a process listing. By default handles to each process are not opened so returned information is limited. To get further information provi |
| | de --detailed-info. To enumerate injectable processes provide --injectable. Both options can be combined with --skip-processes to avoid opening ce |
| | rtain named processes (e.g. lsass.exe, winlogon.exe etc.). |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| clear | |
| | Clears the console. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| steal-token | Parameters: <process ID> - Target process ID from which to steal token. |
| | |
| | Attempts to to impersonate using the process token for a running process. SecurityDelegation is first attempted; if this fails SecurityImpersonati |
| | on is attempted. The stolen token then impersonates meaning that further operations should be performed within the context of the impersonated use |
| | r. Operations performed asynchronously such as execution of .NET assemblies will continue to use the original agent process token, so these must i |
| | mpersonate explicitly. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| switch-token | Parameters: <token handle> - Handle value of the token to switch to. |
| | |
| | Switches to a stored token; the rights associated with the token depend on the rights obtained when the token was initially opened. Tokens can be |
| | listed via the list-tokens command. Tokens should be referenced by numerical hex value and begin with 0x. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| list-tokens | |
| | Lists stored tokens accessible to the agent; these tokens were previously created via the 'impersonate' or 'steal-token' commands. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| delete-token | Parameters: <token handle> - Handle value of the token to delete. |
| | |
| | Deletes a stored token and closes the associated handle. Tokens can be listed via the list-tokens command. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| clear-tokens | |
| | Deletes all stored tokens and closes the associated handles. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| inject-shellcode | Parameters: <path> - Local path to binary shellcode file for injection. |
| | <process ID> - Remote target process ID for injection. |
| | |
| | Injects a shellcode into the remote process. Uses the process injection chain specified within the agent configuration. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| spawn-shellcode | Parameters: <path> - Local path to binary shellcode file for injection. |
| | [--process-path=<path>] - Path to remote process to spawn. |
| | [--parent=<ppid|process name>] - Parent process name or ID. |
| | [--cmdline=<cmd line>] - Command line for remote process. |
| | |
| | Spawns a new process with optional parent process configured and injects shellcode. If no process path is specified the default 'spawn-to' path is |
| | used. If no parent process is specified the default 'parent-process' name is used. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| enum-privs | |
| | Lists names of privileges held by the implant agent process. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| enable-privs | Parameters: <priv-1>[,<priv-2>...] | all - Privilege names to enable, or all privileges |
| | Enables privileges on the process token for the implant agent process. |
| | Can be one or more of: |
| | |
| | SeCreateTokenPrivilege |
| | SeAssignPrimaryTokenPrivilege |
| | SeLockMemoryPrivilege |
| | SeIncreaseQuotaPrivilege |
| | SeUnsolicitedInputPrivilege |
| | SeMachineAccountPrivilege |
| | SeTcbPrivilege |
| | SeSecurityPrivilege |
| | SeTakeOwnershipPrivilege |
| | SeLoadDriverPrivilege |
| | SeSystemProfilePrivilege |
| | SeSystemtimePrivilege |
| | SeProfileSingleProcessPrivilege |
| | SeIncreaseBasePriorityPrivilege |
| | SeCreatePagefilePrivilege |
| | SeCreatePermanentPrivilege |
| | SeBackupPrivilege |
| | SeRestorePrivilege |
| | SeShutdownPrivilege |
| | SeDebugPrivilege |
| | SeAuditPrivilege |
| | SeSystemEnvironmentPrivilege |
| | SeChangeNotifyPrivilege |
| | SeRemoteShutdownPrivilege |
| | SeUndockPrivilege |
| | SeSyncAgentPrivilege |
| | SeEnableDelegationPrivilege |
| | SeManageVolumePrivilege |
| | SeImpersonatePrivilege |
| | SeCreateGlobalPrivilege |
| | SeTrustedCredManAccessPrivilege |
| | SeRelabelPrivilege |
| | SeIncreaseWorkingSetPrivilege |
| | SeTimeZonePrivilege |
| | SeCreateSymbolicLinkPrivilege |
| | SeDelegateSessionUserImpersonatePrivilege |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| disable-privs | Parameters: <priv-1>[,<priv-2>...] | all - Privilege names to disable, or all privileges |
| | Disables privileges on the process token for the implant agent process. |
| | Can be one or more of: |
| | |
| | SeCreateTokenPrivilege |
| | SeAssignPrimaryTokenPrivilege |
| | SeLockMemoryPrivilege |
| | SeIncreaseQuotaPrivilege |
| | SeUnsolicitedInputPrivilege |
| | SeMachineAccountPrivilege |
| | SeTcbPrivilege |
| | SeSecurityPrivilege |
| | SeTakeOwnershipPrivilege |
| | SeLoadDriverPrivilege |
| | SeSystemProfilePrivilege |
| | SeSystemtimePrivilege |
| | SeProfileSingleProcessPrivilege |
| | SeIncreaseBasePriorityPrivilege |
| | SeCreatePagefilePrivilege |
| | SeCreatePermanentPrivilege |
| | SeBackupPrivilege |
| | SeRestorePrivilege |
| | SeShutdownPrivilege |
| | SeDebugPrivilege |
| | SeAuditPrivilege |
| | SeSystemEnvironmentPrivilege |
| | SeChangeNotifyPrivilege |
| | SeRemoteShutdownPrivilege |
| | SeUndockPrivilege |
| | SeSyncAgentPrivilege |
| | SeEnableDelegationPrivilege |
| | SeManageVolumePrivilege |
| | SeImpersonatePrivilege |
| | SeCreateGlobalPrivilege |
| | SeTrustedCredManAccessPrivilege |
| | SeRelabelPrivilege |
| | SeIncreaseWorkingSetPrivilege |
| | SeTimeZonePrivilege |
| | SeCreateSymbolicLinkPrivilege |
| | SeDelegateSessionUserImpersonatePrivilege |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| spri | Parameters: <priority> - h[igh], m[medium], l[ow] |
| | [index] - applies the priority to the command at index |
| | Sets a priority on an executed command. This is used to tag commands with a rating in the operations server for reporting purposes. The default p |
| | riority is LOW. The index parameter is optional and represents the index of the command to apply to; if not supplied then the last command is used |
| | . |
| | Invoking with no parameter lists the past twenty historic commands. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| stag | Parameters: <tag> - optionally quoted tag value |
| | [index] - applies the priority to the command at index |
| | Sets a tag on an executed command. This is used to tag commands with a value in the operations server for reporting purposes. The index parameter |
| | is optional and represents the index of the command to apply to; if not supplied then the last command is used. |
| | Invoking with no parameter lists the past twenty historic commands. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| clear-command | Parameters: <message-id|all> - The message ID of a pending command to clear, or 'all' to clear all. |
| | Removes a command queued for execution. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| list-commands | |
| | Lists all historic commands executed against an agent in the current UI session. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| execute-bof | Parameters: <path to bof file> - Local path to bof file to execute. |
| | <entrypoint> - Name of entrypoint to execute. |
| | [<arg 1> <arg 2> ... <arg n>] - Optional list of arguments to pass to entrypoint. |
| | |
| | This command executes a Cobalt Strike BOF. All parameters expected by the BOF must be specified whether they are optional or not. To specify optio |
| | nal parameters simply provide 0 for integer parameters and "" for string parameters. |
| | |
| | Parameters must be prefixed with the expected type, these are: |
| | z - ASCII string (e.g z"foobar") |
| | Z - Wide char string (e.g Z"foobar") |
| | s - Short (2 byte) integer (e.g. s123) |
| | i - Integer (4 bytes) (e.g. i123456789) |
| | b - Binary as hex (e.g. b414243444546) |
| | |
| | If a type is prefixed with 'f' (eg. fb:foo.bin, z:bar.txt) then the relevant data is read from file rather than the command line. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| logons | |
| | Display a list of logon sessions. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| lua | |
| | Display settings for Limited User Account (LUA). |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| pipelist | |
| | Display list of pipes on local system. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| proflist | |
| | Display list of user profiles on remote system. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| windows | Parameters: <pid> - Process ID. |
| | Display information about registered windows for a given process. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| applist | |
| | Display list of applications installed on remote system. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| portlist | |
| | Display list of network connections on remote system. This will attempt to resolve remote IPs to hostnames so will generate DNS traffic and may de |
| | lay hibernation for several minutes (if enabled). |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| services | |
| | Display information about services on a remote system. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| threads | Parameters: <pid> - Process ID. |
| | Display information about threads in a process. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| modules | Parameters: <pid> - Process ID. |
| | Display information about modules/DLLs in a process. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| handles | Parameters: <pid> - Process ID to enumerate handles for. |
| | [--type=<name>] - Filter by type. |
| | |
| | Display information about handles for a process. Parameter --type can be: ... |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| objects | Parameters: [--path=<path>] - Directory to start enumerating objects. e.g. "\" |
| | [--type=<type>] - Filter by object Type. e.g. Driver |
| | [--name=<name>] - Filter by object Name. |
| | |
| | This command lists objects in the NT directory manager. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| credman | Parameter: <pid> - Process to dump credentials from. |
| | Enumerate logged on user credentials from specified process. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| getsystem | |
| | Impersonate the local SYSTEM account. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| screenshot | |
| | Take a screenshot of the desktop. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| keylog | |
| | Parameters: start, stop, status, getkeys, clear. |
| | |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| procdump | Parameters: <pid> - Process ID to dump. |
| | Dump memory of process. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| unlink | |
| | This command is executed on an agent (P2P or egress) and forces that agent to reset its connection state. If executed on an egress agent this will |
| | put the agent into the state of attempting an initial connection to the C2, breaking the poll/execute/result worker loop and starting a new worke |
| | r. If executed on a P2P agent this will disconnect the P2P agent and it will begin listening again. |
| | Connected agents downstream of the agent on which this command is executed also unlink. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| rmdir | Parameters: <path> - Directory path. |
| | |
| | Deletes a directory from the remote filesystem. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| mkdir | Parameters: <path> - Directory path. |
| | |
| | Creates a directory on the remote filesystem. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| set-injector-step | Parameters: <step name> - Name of the injection chain step to reconfigure. |
| | <new value> - New step value. |
| | |
| | Reconfigures a step in the injection chain used. Valid step names are: |
| | ProcessCreate |
| | ProcessOpen |
| | AllocMemory |
| | WriteMemory |
| | ProtectMemory |
| | ThreadOpen |
| | ExecuteMemory |
| | For further information and value step values please check the documentation. |
| | |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| get-config | Parameters: <config path> - JSON path of the config section to retrieve. |
| | |
| | Obtains JSON configuration section of the agent at the path specified. An empty path retrieves the entire configuration. |
| | |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| update-config | Parameters: <config path> - JSON path of the config section to update. |
| | <json> - JSON data to replace configuration section. |
| | Update JSON configuration of the agent at the path specified. Be careful with this command as breaking the agent config may prevent it from being |
| | able to communicate outbound. To change an agent profile the agent context menu Change Profile option is safer. |
| | |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| alias | Parameters: <name> - Name to assign to the newly created alias. |
| | <value> - Alias value with substitution placeholders as needed. |
| | |
| | Creates a command alias with positional placeholders for arguments. Positional arguments are specified using $1, $2, etc. for individual arguments |
| | , $1-3 for ranges (e.g. 1 to 3 inclusive), or $1-... for all arguments after a specified position. |
| | Example: |
| | alias "netuser-x64" "execute-bof \"C:\\\\tools\\\\BOFs\\\\SA\\\\netuser\\\\netuser.x64.o\" go Z\"$1\" Z\"$2\"" |
| | |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| detailed-info | |
| | Shows detailed machine information if already known. |
| | |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| list-tasks | |
| | Lists currently executing asynchronous tasks in the agent. |
| | |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| cancel-task | Parameters: <task-id> - GUID identifier for a running task. |
| | Attempts to cancel a running task within the agent. |
| | |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------