AdaptixC2 GitHubExtension-Kit

AxFunction

Data Model

agents

Get information about all agents calling back to this Adaptix teamserver.

AGENT[id] ax.agents();
// AGENT STRUCT
string agent["id"]
string agent["type"]
string agent["listener"]
string agent["external_ip"]
string agent["internal_ip"]
string agent["domain"]
string agent["computer"]
string agent["username"]
string agent["impersonated"]
string agent["process"]
string agent["arch"]
int    agent["pid"]
int    agent["tid"]
int    agent["gmt"]
bool   agent["elevated"]
string agent["tags"]
bool   agent["async"]
int    agent["sleep"]
string agent["os_full"]
Example
var agents = ax.agents(); 

for (var id in agents) {
    ax.log("Agent ID: " + id);
    var agent = agents[id];
    for (var key in agent) {
        ax.log("  " + key + ": " + agent[key]);
    }
}

credentials

Returns a list of credentials.

CRED[id] ax.credentials()
// CRED STRUCT
cred["id"]
cred["username"]
cred["password"]
cred["realm"]
cred["type"]
cred["tag"]
cred["date"]
cred["storage"]
cred["agent_id"]
cred["host"]
Example
var creds = ax.credentials(); 

for (var id in creds) {
    ax.log("Cred ID: " + id);
    var cred = creds[id];
    for (var key in cred) {
        ax.log("  " + key + ": " + cred[key]);
    }
}

downloads

Returns a list of downloads.

DOWNLOAD[id] ax.downloads()
// DOWNLOAD STRUCT
download["id"]
download["agent_id"]
download["agent_name"]
download["user"]
download["computer"]
download["filename"]
download["recv_size"]
download["total_size"]
download["date"]
download["state"]
Example
var downloads = ax.downloads();

for (var id in downloads) {
    ax.log("Download ID: " + id);
    var dw = downloads[id];
    for (var key in dw) {
        ax.log("  " + key + ": " + dw[key]);
    }
}

screenshots

Returns a list of screenshots.

SCREEN[id] ax.screenshots()
// SCREEN STRUCT
screen["id"]
screen["user"]
screen["computer"]
screen["note"]
screen["date"]
Example
var screenshots = ax.screenshots();

for (var id in screenshots) {
    ax.log("Screen ID: " + id);
    var screen = screenshots[id];
    for (var key in screen) {
        ax.log("  " + key + ": " + screen[key]);
    }
}

targets

Returns a list of targets.

TARGET[id] ax.targets()
// TARGET STRUCT
target["id"]
target["computer"]
target["domain"]
target["address"]
target["tag"]
target["date"]
target["info"]
target["alive"]
target["owned"]
target["os"]
target["os_desc"]
Example
var targets = ax.targets();

for (var id in targets) {
    ax.log("Target ID: " + id);
    var targ = targets[id];
    for (var key in targ) {
        ax.log("  " + key + ": " + targ[key]);
    }
}

tunnels

Returns a list of tunnels.

TUNNEL[id] ax.tunnels()
// TUNNEL STRUCT
tunnel["id"]
tunnel["agent_id"]
tunnel["username"]
tunnel["computer"]
tunnel["process"]
tunnel["type"]
tunnel["info"]
tunnel["interface"]
tunnel["port"]
tunnel["client"]
tunnel["f_port"]
tunnel["f_host"]
Example
var tunnels = ax.tunnels();

for (var id in tunnels) {
    ax.log("Tunn ID: " + id);
    var tun = tunnels[id];
    for (var key in tun) {
        ax.log("  " + key + ": " + tun[key]);
    }
}

Functions

The following is a list of AxScript's functions:

agents

See here

agent_info

Get information from a agent session's metadata.

any ax.agent_info(string id, string property)

  • id - agent ID

  • property - CRED property (see here)

Example
ax.agent_info("47ca27cf", "username");
ax.agent_info("47ca27cf", "pid");

agent_set_color

Set color for agent's item in Session Table

void ax.agent_set_color(string[] ids, string background, string foreground, bool reset);

  • ids - array of agent ids

  • background - item background color in hex RGB

  • foreground - item text color in hex RGB

  • reser - if true, reset the color to default

Example
ax.agent_set_color(["47ca27cf"], "008000", "000000", false);

agent_set_impersonate

Set impersonate for agent's item in Session Table

void ax.agent_set_impersonate(string id, string impersonate, bool elevated);

  • id - agent ID

  • impersonate - impersonated user

  • elevated - is impersonated user elevated

Example
ax.agent_set_impersonate("47ca27cf", "SYSTEM", true);

agent_set_mark

Set mark for agent's item in Session Table

void ax.agent_set_mark(string id, string mark);

  • id - agent ID

  • mark - agent's mark ("Terminated", "Inactive", "Disconnect", empty "" for active).

Example
ax.agent_set_mark("47ca27cf", "Inactive");

agent_set_tag

Set tag for agent's item in Session Table

void ax.agent_set_tag(string id, string tag);

  • id - agent ID

  • tag - agent's tag

Example
ax.agent_set_tag("47ca27cf", "long");

arch

Returns the architecture of agent session (e.g., x86 or x64)

string ax.arch(string id);

  • id - agent ID

Example
ax.arch("47ca27cf");

bof_pack

Pack arguments in a way that's suitable for BOF APIs to unpack. To transmit binary data to the server, the function will encode it in base64.

string ax.bof_pack(string types, any[] args);

  • types - a set of comma separated string types for BOF's arguments

  • args - array of BOF's arguments

Type
Description
Unpack With (C)

bytes

binary data

BeaconDataExtract

int

4-byte integer

BeaconDataInt

short

2-byte short integer

BeaconDataShort

cstr

zero-terminated+encoded string

BeaconDataExtract

wstr

zero-terminated wide-char string

(wchar_t *)BeaconDataExtract

Example
ax.bof_pack("bytes,int,short,cstr,wstr", ["bytes_str", 123, 12, "c_string", "w_string"]);

copy_to_clipboard

Copy text to client's clipboard.

void ax.copy_to_clipboard(string text);
Example
ax.copy_to_clipboard("stored data");

console_message

Print an output message and text to the agent console.

void ax.console_message(string id, string message, string type = "", string text = "");

  • id - agent ID

  • message - brief message

  • type - message type ("info", "success", or "error")

  • text - text output

Example
ax.console_message("47ca27cf", "Info message\n", "info", "This is\nmulti line\ntext");
ax.console_message("47ca27cf", "Error message\n", "error");

credentials

See here

credentials_add

Save the specified credentials in Credentials Manager

void ax.credentials_add(string username, string password, string realm = "", string type = "password", string tag = "", string storage = "manual", string host = "");

  • username - creds username

  • password - creds secret

  • realm - creds domain/realm

  • type - creds type (possible "password", "hash", "rc4", "aes128", "aes256", "token")

  • tag - creds tag

  • storage - creds container (possible "browser", "dpapi", "database", "sam", "lsass", "ntds", "manual")

  • host - the host where the credentials were stored

Example
ax.credentials_add("user", "P@ssw0rd", "dom.local", "password", "", "dpapi", `SERVER12`);

credentials_add_list

Save a list of creds in the Credentials Manager

void ax.credentials_add_list(cred[] array);
// cred STRUCT
string cred.username
string cred.password
string cred.realm
string cred.type
string cred.tag
string cred.storage
string cred.host
Example
var obj = {};
obj.username = "user";
obj.password = "!Q@W3e4r";
obj.realm = "domain";
obj.type = "password";
obj.host = "DB";

var arr = [];
arr.push(obj);

ax.credentials_add_list(arr);

create_command

See here

create_commands_group

See here

execute_alias

See here

execute_browser

See here

execute_command

See here

file_basename

Returns the filename

string ax.file_basename(string path);

  • path - full filename

Example
ax.file_basename("/tmp/test.txt");

file_exists

Checks if a file exists

bool ax.file_exists(string path);

  • path - full filename

Example
ax.file_exists("/tmp/test.txt");

file_read

Reads a file and returns base64 encoded contents

string ax.file_read(string path);

  • path - full filename

Example
ax.file_read("/tmp/test.txt");

file_write_text

Writes text data to a file and returns true if the write is successful.

bool ax.file_write_text(string path, string text);

  • path - full filename

  • text - text data

Example
ax.file_write_text("/tmp/test.txt", "this is text");

format_time

Convert UNIX Epoch Time to date/time string value.

string ax.format_time(string format, int unixtime);

  • format - datetime format (e.g. "dd/MM/yyyy hh:mm:ss")

  • unixtime - UNIX Epoch Time value

Example
ax.format_time("dd/MM hh:mm", ax.ticks());

format_size

Converts bytes into a convenient format

string ax.format_size(int bytes);
Example

get_commands

Returns a list of available commands for the agent.

string[] get_commands(string id);

  • id - agent ID

Example

interfaces

Returns a list of network interfaces of the teamserver

string[] ax.interfaces()
Example
ax.interfaces()

ids

Returns a list of agent ids

string[] ax.ids()
Example

is64

Check if a session is on an x64 system or not

bool ax.is64(string id);

  • id - agent ID

Example
ax.is64("47ca27cf");

isactive

Returns true if the agent is active

bool ax.isactive(string id);

id - agent ID

Example

isadmin

Check if a session has admin rights

bool ax.isadmin(string id);

  • id - agent ID

Example
ax.isadmin("47ca27cf");

log / log_error

Print text to AxScript Console.

void ax.log(string text);
void ax.log_error(string text);
Example
ax.log("log");
ax.log_error("log");

open_agent_console

Open the console to interact with a agent

void ax.open_agent_console(string id);

  • id - agent ID

open_access_tunnel

Open the tunnel creation dialog window

void ax.open_access_tunnel(string id, bool socks4, bool socks5, bool lportfwd, bool rportfwd);

  • id - agent ID

  • socks4 - is agent support socks4

  • socks5 - is agent support socks5

  • lportfwd - is agent support local port forwarding

  • rportfwd - is agent support reverse port forwarding

Example
ax.open_access_tunnel("47ca27cf", true, true, false, false);

open_browser_files

Open the File Browser for a agent

void ax.open_browser_files(string id);

  • id - agent ID

open_browser_process

Open the Process Browser for a agent

void ax.open_browser_process(string id);

  • id - agent ID

open_remote_terminal

Open the Interactive Terminal for a agent

void ax.open_remote_terminal(string id);

  • id - agent ID

prompt_confirm

Show a confirm dialog.

string prompt_confirm(string caption, string text);

  • caption - title of the dialog

  • text - Text question

Example
ax.prompt_confirm(" ", "Exit main windows?");

prompt_open_file

Show a file open dialog.

string prompt_open_file(string caption = "Select file", string filter = "");

  • caption - title of the dialog

  • filter - filter for selecting files

Example
ax.prompt_open_file("Select AxScript", "AxScript Files (*.axs)");

prompt_open_dir

Show a directory open dialog.

string prompt_open_dir(string caption = "Select directory");

  • caption - title of the dialog

Example
ax.prompt_open_dir("Open directory");

prompt_save_file

Show a file save dialog.

string prompt_save_file(string filename, string caption = "Select file", string filter = "");

  • filename - default filename

  • caption - title of the dialog

  • filter - filter for selecting files

Example
ax.prompt_save_file("/tmp/creds.txt", "Save file");

register_commands_group

See here

script_import

Import AxScript script into current script's env.

string script_import(string path);

  • path - path to script file

script_load

Load a new script to AxScript Manager

string script_load(string path);

  • path - path to script file

script_unload

Unload a script from the AxScript Manager

string script_unload(string path);

  • path - path to script file

script_dir

Returns the directory where the script is located.

string script_dir();

show_message

Shows a message to the user in a dialog box. Use this function to relay information.

void show_message(string title, string text);

  • title - title of the dialog

  • text - the message text

Example
ax.show_message("Info", "This is text");

targets_add

Save the specified target in Targets Manager

void ax.targets_add(string computer, string domain, string address, string os = "unknown", string osDesc = "", string tag = "", string info = "", bool alive = true);

  • computer - computer name

  • domain - domain name

  • address - IP address

  • os - OS type (possible "windows", "linux", "macos")

  • osDesc - detailed information about OS

  • tag - tag

  • info - info

  • alive - true if the host is alive

Example
ax.targets_add("DC", "dom.local", "dom.local", "192.168.1.10", "windows");

targets_add_list

Save a list of targets in the Targets Manager

void ax.targets_add_list(target[] array);
// target STRUCT
string target.computer
string target.domain
string target.address
string target.tag
string target.info
string target.os_desc
string target.os            ["windows", "linux", "macos"]
bool   target.alive
Example
var obj = {};
obj.computer = "DC";
obj.domain = "DOM.LOCAL";
obj.os_desc = "Windows Server 2019";
obj.os = "windows";
obj.alive = true;
obj.tag = "";
obj.info = "from axscript";

var arr = [];
arr.push(obj);

ax.targets_add_list(arr);

ticks

UNIX Epoch Time value

int ticks();

validate_command

Checks the validity of the entered command and returns full information

cmd_info ax.validate_command(string id, string command);

  • id - agent ID

  • command - agents command

// cmd_info STRUCT
bool   info["valid"]
string info["message"]
bool   info["is_pre_hook"]
bool   info["has_output"]
bool   info["has_post_hook"]
map{}  info["parsed"]
Example
let cmd = ax.validate_command("551757de", "socks start 1080");
cmd.valid

let cmd = ax.validate_command("551757de", "socks start");
cmd.message

PreviousIntroductionNextAxCommand type

Last updated