2.4 KiB
2.4 KiB
"Monarch" Agent commands:
House-keeping
- sleep : Set sleep obfuscation duration to a different value and persist that value in the agent
Basic API-only Commands
-
pwd : Get current working directory
-
cd : Change directory
-
ls/dir : List all files in directory (including hidden ones)
-
rm : Remove a file
-
rmdir : Remove a empty directory
-
mv : Move a file
-
cp : Copy a file
-
cat/type : Display contents of a file
-
env : Display environment variables
-
ps : List processes
-
whoami : Get UID and privileges, etc.
-
token : Token impersonation
- make : Create a token from a user's plaintext password (LogonUserA, ImpersonateLoggedOnUser)
- steal : Steal the access token from a process (OpenProcess, OpenProcessToken, DuplicateToken, ImpersonateLoggedOnUser)
- use : Impersonate a token from the token vault (ImpersonateLoggedOnUser) -> update username like in Cobalt Strike
-
rev2self : Revert to original logon session (RevertToSelf)
Execution Commands
- shell : Execute shell command (to be implemented using Windows APIs instead of execCmdEx)
- bof : Execute Beacon Object File in memory and retrieve output (bof /local/path/file.o) - Read from listener endpoint directly to memory - Base for all kinds of BOFs (Situational Awareness, ...)
- pe : Execute PE file in memory and retrieve output (pe /local/path/mimikatz.exe)
- dotnet : Execute .NET assembly inline in memory and retrieve output (dotnet /local/path/Rubeus.exe )
Post-Exploitation
- upload : Upload file from server to agent (upload /local/path/to/file C:\Windows\Tasks) - File to be downloaded moved to specific endpoint on listener, e.g. GET ////file - Read from webserver and written to disk
- download : Download file from agent to teamserver - Create loot directory for agent to store files in - Read file into memory and send byte stream to specific endpoint, e.g. POST ///-task/file - Encrypt file in-transit!!!
- screenshot : Take a screenshot of the entire desktop and all monitors