AdaptixC2 GitHubExtension-Kit

AxCommand type

Command

The ax.create_command function creates an AxCommand object that will be converted into a command for AdaptixC2 agents.

AxCommand ax.create_command(string name, string description, string example = "", string message = "");

  • name - сonsole command name.

  • description - description of the command.

  • example - example of command input.

  • message - the message that will be displayed in the agent console when the command is sent.

Example

This code creates the pwd command.

ax.create_command("pwd", "Print current working directory", "pwd", "Task: print working directory");

Arguments

The AxCommand object has methods for adding arguments to a command.

bool

The addArgBool method adds a flag argument to the command, which can have two values: true (if the flag is specified) and false (if the flag is not specified).

addArgBool(string flag, string description = "");
// or
addArgBool(string flag, string description, bool value);

  • flag - command's flag name

  • description - description of the arguments.

  • value - default value.

Example

This code creates the potato-dcom command with the bool --token arguments.

var cmd_dcom_potato = ax.create_command("potato-dcom", "DCOMPotato - get SYSTEM via SeImpersonate privileges.", "potato-dcom --run C:\\Windows\\System32\\cmd.exe /c whoami /all");
cmd_dcom_potato.addArgBool( "--token", "Elevate the current agent to SYSTEM context");
...

int

The addArgInt method adds a numeric argument to the command. The addArgFlagInt method adds a numeric argument to the command, which must be specified after the flag.

addArgInt(string name, bool required, string description = "");
// or
addArgInt(string name, string description, int value);

addArgFlagInt(string flag, string name, bool required, string description = "");
// or
addArgFlagInt(string flag, string name, string description, int value);

  • flag - command's flag name

  • name - command argument's name.

  • required - if true, then the argument must be specified in the command

  • description - description of the arguments.

  • value - default value.

Example

This code creates the kill command with the int pid arguments.

let cmd_kill = ax.create_command("kill", "Kill a process with a given PID", "kill 7865", "Task: kill process");
cmd_kill.addArgInt("pid", true);

string

The addArgString method adds a string argument to the command. The addArgFlagString method adds a string argument to the command, which must be specified after the flag.

addArgString(string name, bool required, string description = "");
// or
addArgString(string name, string description, string value);

addArgFlagString(string flag, string name, bool required, string description = "");
// or
addArgFlagString(string flag, string name, string description, string value);

  • flag - command's flag name

  • name - command argument's name.

  • required - if true, then the argument must be specified in the command

  • description - description of the arguments.

  • value - default value.

Example

This code creates the cp command with the two string src and dst arguments.

let cmd_cp = ax.create_command("cp", "Copy file", "cp src.txt dst.txt", "Task: copy file");
cmd_cp.addArgString("src", true);
cmd_cp.addArgString("dst", true);

file

The addArgFile method adds a file type argument to the command. The addArgFlagString method adds a file type argument to the command, which must be specified after the flag.

The file-type argument is the path to the file that will be read and sent to the server in base64.

addArgFile(string name, bool required, string description = "");
// or
addArgFlagFile(string flag, string name, bool required, string description = "");

  • flag - command's flag name

  • name - command argument's name.

  • required - if true, then the argument must be specified in the command

  • description - description of the arguments.

Example

This code creates the upload command with the file-type local_file and the string remote_path arguments .

let cmd_upload = ax.create_command("upload", "Upload a file", "upload /tmp/file.txt C:\\Temp\\file.txt", "Task: upload file");
cmd_upload.addArgFile("local_file", true);
cmd_upload.addArgString("remote_path", false);

SubCommand

The AxCommand object has an addSubCommands method for adding subcommands to a command.

addSubCommands(AxCommand[] subcommands)

  • subcommands - array of AxCommand objects

Example

This code creates the smb and tcp commands, then creates the link command and adds smb and tcp as subcommands.

let _cmd_link_smb = ax.create_command("smb", "Connect to an SMB agent and re-establish control of it", "link smb 192.168.1.2 pipe_a1b2", "Task: Connect to an SMB agent");
_cmd_link_smb.addArgString("target", true);
_cmd_link_smb.addArgString("pipename", true);

let _cmd_link_tcp = ax.create_command("tcp", "Connect to an TCP agent and re-establish control of it", "link tcp 192.168.1.2 8888", "Task: Connect to an TCP agent");
_cmd_link_tcp.addArgString("target", true);
_cmd_link_tcp.addArgInt("port", true);

let cmd_link = ax.create_command("link", "Connect to an pivot agents");
cmd_link.addSubCommands([_cmd_link_smb, _cmd_link_tcp]);

PreHook

See here.

Registering commands

In order for the created commands to be used in the agent console, they must be combined into command groups using the create_commands_group function, and then the group must be registered using the register_commands_group function.

AxCommandsGroup ax.create_commands_group(string name, AxCommand[] commands);

  • name - command group name

  • commands - array of AxCommand objects

ax.register_commands_group(AxCommandsGroup group, string[] agents, string[] os, string[] listeners);

  • group - AxCommandsGroup object

  • agents - an array of strings of agent names for which the command group will be available. The following options are available: "beacon", "gopher", etc.

  • os - an array of strings with the names of the operating systems for which the command group will be available. The following options are available: "windows", "linux", "macos". If an empty array [] is specified, the command group will be registered for all operating systems.

  • listeners - An array of strings with the names of registered listeners for which the command group will be available. The following options are available: "BeaconHTTP", "BeaconSMB", etc. If an empty array [] is specified, the command group will be registered for all listeners.

Example

The following code creates three commands uptime, useridletime and whoami. It then combines them into a group Test-Register-Group and registers it for beacon and gopher agents, but only running on Windows OS.

var cmd_uptime = ax.create_command("uptime", "List system boot time and how long it has been running", "uptime");
cmd_uptime.setPreHook(function (id, cmdline, parsed_json, ...parsed_lines) {
    let bof_path = ax.script_dir() + "_bin/uptime." + ax.arch(id) + ".o";
    ax.execute_alias(id, cmdline, `execute bof ${bof_path}`, "BOF implementation: uptime");
});

var cmd_useridletime = ax.create_command("useridletime", "Shows how long the user as been idle, displayed in seconds, minutes, hours and days", "useridletime");
cmd_useridletime.setPreHook(function (id, cmdline, parsed_json, ...parsed_lines) {
    let bof_path = ax.script_dir() + "_bin/useridletime." + ax.arch(id) + ".o";
    ax.execute_alias(id, cmdline, `execute bof ${bof_path}`, "BOF implementation: useridletime");
});

var cmd_whoami = ax.create_command("whoami", "List whoami /all, hours and days", "whoami");
cmd_whoami.setPreHook(function (id, cmdline, parsed_json, ...parsed_lines) {
    let bof_path = ax.script_dir() + "_bin/whoami." + ax.arch(id) + ".o";
    ax.execute_alias(id, cmdline, `execute bof ${bof_path}`, "BOF implementation: whoami /all");
});

var group_test = ax.create_commands_group("Test-Register-Group", [cmd_uptime, cmd_useridletime, cmd_whoami]);
ax.register_commands_group(group_test, ["beacon", "gopher"], ["windows"], []);

PreviousAxFunctionNextCommands and Hooks

Last updated