AxFunction

Data Model

agents

Get information about all agents calling back to this Adaptix teamserver.

AGENT[id] ax.agents();

// AGENT STRUCT
string agent["id"]
string agent["type"]
string agent["listener"]
string agent["external_ip"]
string agent["internal_ip"]
string agent["domain"]
string agent["computer"]
string agent["username"]
string agent["impersonated"]
string agent["process"]
string agent["arch"]
int    agent["pid"]
int    agent["tid"]
int    agent["gmt"]
int    agent["acp"]
int    agent["oemcp"]
bool   agent["elevated"]
string agent["tags"]
bool   agent["async"]
int    agent["sleep"]
string agent["os_full"]

Example

var agents = ax.agents(); 

for (var id in agents) {
    ax.log("Agent ID: " + id);
    var agent = agents[id];
    for (var key in agent) {
        ax.log("  " + key + ": " + agent[key]);
    }
}

---

credentials

Returns a list of credentials.

CRED[id] ax.credentials()

// CRED STRUCT
cred["id"]
cred["username"]
cred["password"]
cred["realm"]
cred["type"]
cred["tag"]
cred["date"]
cred["storage"]
cred["agent_id"]
cred["host"]

Example

var creds = ax.credentials(); 

for (var id in creds) {
    ax.log("Cred ID: " + id);
    var cred = creds[id];
    for (var key in cred) {
        ax.log("  " + key + ": " + cred[key]);
    }
}

---

downloads

Returns a list of downloads.

DOWNLOAD[id] ax.downloads()

// DOWNLOAD STRUCT
download["id"]
download["agent_id"]
download["agent_name"]
download["user"]
download["computer"]
download["filename"]
download["recv_size"]
download["total_size"]
download["date"]
download["state"]

Example

var downloads = ax.downloads();

for (var id in downloads) {
    ax.log("Download ID: " + id);
    var dw = downloads[id];
    for (var key in dw) {
        ax.log("  " + key + ": " + dw[key]);
    }
}

---

screenshots

Returns a list of screenshots.

SCREEN[id] ax.screenshots()

// SCREEN STRUCT
screen["id"]
screen["user"]
screen["computer"]
screen["note"]
screen["date"]

Example

var screenshots = ax.screenshots();

for (var id in screenshots) {
    ax.log("Screen ID: " + id);
    var screen = screenshots[id];
    for (var key in screen) {
        ax.log("  " + key + ": " + screen[key]);
    }
}

---

targets

Returns a list of targets.

TARGET[id] ax.targets()

// TARGET STRUCT
target["id"]
target["computer"]
target["domain"]
target["address"]
target["tag"]
target["date"]
target["info"]
target["alive"]
target["owned"]
target["os"]
target["os_desc"]

Example

var targets = ax.targets();

for (var id in targets) {
    ax.log("Target ID: " + id);
    var targ = targets[id];
    for (var key in targ) {
        ax.log("  " + key + ": " + targ[key]);
    }
}

---

tunnels

Returns a list of tunnels.

TUNNEL[id] ax.tunnels()

// TUNNEL STRUCT
tunnel["id"]
tunnel["agent_id"]
tunnel["username"]
tunnel["computer"]
tunnel["process"]
tunnel["type"]
tunnel["info"]
tunnel["interface"]
tunnel["port"]
tunnel["client"]
tunnel["f_port"]
tunnel["f_host"]

Example

var tunnels = ax.tunnels();

for (var id in tunnels) {
    ax.log("Tunn ID: " + id);
    var tun = tunnels[id];
    for (var key in tun) {
        ax.log("  " + key + ": " + tun[key]);
    }
}

---

Functions

The following is a list of AxScript's functions:

agents

See here

---

agent_info

Get information from a agent session's metadata.

any ax.agent_info(string id, string property)

• id - agent ID

• property - CRED property (see here)

Example

ax.agent_info("47ca27cf", "username");
ax.agent_info("47ca27cf", "pid");

---

agent_hide

Hide agents from Sessions Table.

void ax.agent_hide(string[] ids)

• ids - array of agent ids

---

agent_remove

Remove agents from server.

void ax.agent_hide(string[] ids)

• ids - array of agent ids

---

agent_set_color

Set color for agent's item in Session Table

void ax.agent_set_color(string[] ids, string background, string foreground, bool reset);

• ids - array of agent ids

• background - item background color in hex RGB

• foreground - item text color in hex RGB

• reser - if true, reset the color to default

Example

ax.agent_set_color(["47ca27cf"], "008000", "000000", false);

---

agent_set_impersonate

Set impersonate for agent's item in Session Table

void ax.agent_set_impersonate(string id, string impersonate, bool elevated);

• id - agent ID

• impersonate - impersonated user

• elevated - is impersonated user elevated

Example

ax.agent_set_impersonate("47ca27cf", "SYSTEM", true);

---

agent_set_mark

Set mark for agent's item in Session Table

void ax.agent_set_mark(string id, string mark);

• id - agent ID

• mark - agent's mark ("Terminated", "Inactive", "Disconnect", empty "" for active).

Example

ax.agent_set_mark("47ca27cf", "Inactive");

---

agent_set_tag

Set tag for agent's item in Session Table

void ax.agent_set_tag(string id, string tag);

• id - agent ID

• tag - agent's tag

Example

ax.agent_set_tag("47ca27cf", "long");

---

agent_update_data

Update/set agent data

void ax.agent_update_data(string id, json_property object);

• id - agent ID

• json_property - CRED property (see here)

Example

ax.agent_update_data("aa26e9d4", {
    internal_ip:"192.168.1.1", 
    domain:"dom.local"
    pid: 1234
});

---

arch

Returns the architecture of agent session (e.g., x86 or x64)

string ax.arch(string id);

• id - agent ID

Example

ax.arch("47ca27cf");

---

bof_pack

Pack arguments in a way that's suitable for BOF APIs to unpack. To transmit binary data to the server, the function will encode it in base64.

string ax.bof_pack(string types, any[] args);

• types - a set of comma separated string types for BOF's arguments

• args - array of BOF's arguments

Type	Description	Unpack With (C)
bytes	binary data	BeaconDataExtract
int	4-byte integer	BeaconDataInt
short	2-byte short integer	BeaconDataShort
cstr	zero-terminated+encoded string	BeaconDataExtract
wstr	zero-terminated wide-char string	(wchar_t *)BeaconDataExtract

Example

ax.bof_pack("bytes,int,short,cstr,wstr", ["bytes_str", 123, 12, "c_string", "w_string"]);

---

copy_to_clipboard

Copy text to client's clipboard.

void ax.copy_to_clipboard(string text);

Example

ax.copy_to_clipboard("stored data");

---

console_message

Print an output message and text to the agent console.

void ax.console_message(string id, string message, string type = "", string text = "");

• id - agent ID

• message - brief message

• type - message type ("info", "success", or "error")

• text - text output

Example

ax.console_message("47ca27cf", "Info message\n", "info", "This is\nmulti line\ntext");
ax.console_message("47ca27cf", "Error message\n", "error");

---

convert_to_code

Convert base64 binary data to code format.

void ax.convert_to_code(string language, string base64data, string varName = "shellcode");

• languaage - programming language ("c", "csharp", "python", "golang", "vbs", "nim", "rust", "powershell")

• base64data - base64 data for converting

• varName - var's name in code

Example

ax.convert_to_code("rust", "dGVzdCBtZXNzYWdlCg==", "shellcode");

---

credentials

See here

---

credentials_add

Save the specified credentials in Credentials Manager

void ax.credentials_add(string username, string password, string realm = "", string type = "password", string tag = "", string storage = "manual", string host = "");

• username - creds username

• password - creds secret

• realm - creds domain/realm

• type - creds type (possible "password", "hash", "rc4", "aes128", "aes256", "token")

• tag - creds tag

• storage - creds container (possible "browser", "dpapi", "database", "sam", "lsass", "ntds", "manual")

• host - the host where the credentials were stored

Example

ax.credentials_add("user", "P@ssw0rd", "dom.local", "password", "", "dpapi", `SERVER12`);

---

credentials_add_list

Save a list of creds in the Credentials Manager

void ax.credentials_add_list(cred[] array);

// cred STRUCT
string cred.username
string cred.password
string cred.realm
string cred.type
string cred.tag
string cred.storage
string cred.host

Example

var obj = {};
obj.username = "user";
obj.password = "!Q@W3e4r";
obj.realm = "domain";
obj.type = "password";
obj.host = "DB";

var arr = [];
arr.push(obj);

ax.credentials_add_list(arr);

---

create_command

See here

---

create_commands_group

See here

---

decode_data

Return decoded base64 data from algorithm ("hex", "base64", "base32", "zip" or "xor") in base64.

string ax.decode_data(string algorithm, string base64data, string key ="");

• algorithm - "hex", "base64", "base32", "zip" or "xor".

• base64data - data in base64

• key - encrypt key (for xor)

Example

ax.decode_data("xor", "GAAaQ1dH", "key123");

---

decode_file

Return decoded base64 data from algorithm ("hex", "base64", "base32", "zip" or "xor") in base64.

string ax.decode_file(string algorithm, string filepath, string key ="");

• algorithm - "hex", "base64", "base32", "zip" or "xor".

• filepath - file with data in base64

• key - encrypt key (for xor)

Example

ax.decode_data("xor", "/tmp/encfile.txt", "key123");

---

encode_data

Return encoded data ("hex", "base64", "base32", "zip" or "xor") in base64.

string ax.encode_data(string algorithm, string data, string key ="");

• algorithm - "hex", "base64", "base32", "zip" or "xor".

• data - data for encoding

• key - encrypt key (for xor)

Example

ax.encode_data("xor", "secret", "key123");

---

encode_file

Return encoded data ("hex", "base64", "base32", "zip" or "xor") in base64.

string ax.encode_data(string algorithm, string filepath, string key ="");

• algorithm - "hex", "base64", "base32", "zip" or "xor".

• filepath - file with data in base64

• key - encrypt key (for xor)

Example

ax.encode_data("xor", "/tmp/encfile.txt", "key123");

---

execute_alias

See here

---

execute_browser

See here

---

execute_command

See here

---

file_basename

Returns the filename

string ax.file_basename(string path);

• path - full filename

Example

ax.file_basename("/tmp/test.txt");

---

file_dirname

Returns the base directory name

string ax.file_dirname(string path);

• path - full filename

Example

ax.file_dirname("/tmp/test.txt");

---

file_exists

Checks if a file exists

bool ax.file_exists(string path);

• path - full filename

Example

ax.file_exists("/tmp/test.txt");

---

file_extension

Checks if a file exists

string ax.file_extension(string path);

• path - full filename

Example

ax.file_extension("/tmp/test.txt");

---

file_read

Reads a file and returns base64 encoded contents

string ax.file_read(string path);

• path - full filename

Example

ax.file_read("/tmp/test.txt");

---

file_size

Return the file size

int ax.file_size(string path);

• path - full filename

Example

ax.file_size("/tmp/file.txt");

---

file_write_text

Writes text data to a file and returns true if the write is successful.

bool ax.file_write_text(string path, string text);

• path - full filename

• text - text data

Example

ax.file_write_text("/tmp/test.txt", "this is text");

---

file_write_binary

Writes base64 data to a file and returns true if the write is successful.

bool ax.file_write_binary(string path, string b64text);

• path - full filename

• b64text - base64 data

Example

ax.file_write_binary("/tmp/file2.txt", "dGVzdCBtZXNzYWdlCg==");

---

format_time

Convert UNIX Epoch Time to date/time string value.

string ax.format_time(string format, int unixtime);

• format - datetime format (e.g. "dd/MM/yyyy hh:mm:ss")

• unixtime - UNIX Epoch Time value

Example

ax.format_time("dd/MM hh:mm", ax.ticks());

---

format_size

Converts bytes into a convenient format

string ax.format_size(int bytes);

Example

---

get_commands

Returns a list of available commands for the agent.

string[] get_commands(string id);

• id - agent ID

Example

---

get_project

Returns the name of the current project.

string get_project();

---

hash

Returns a hash string in hex format.

string ax.hash(string algorithm, int length, string data)

• algorithm - hash "sha1" or "md5";

• length - length of the returned string

• data - data to be hashed

Example

ax.hash("sha1", 8, "data-for-hash");
ax.hash("md5", 32, "data-for-hash");

---

interfaces

Returns a list of network interfaces of the teamserver

string[] ax.interfaces()

Example

ax.interfaces()

---

ids

Returns a list of agent ids

string[] ax.ids()

Example

---

is64

Check if a session is on an x64 system or not

bool ax.is64(string id);

• id - agent ID

Example

ax.is64("47ca27cf");

---

isactive

Returns true if the agent is active

bool ax.isactive(string id);

id - agent ID

Example

---

isadmin

Check if a session has admin rights

bool ax.isadmin(string id);

• id - agent ID

Example

ax.isadmin("47ca27cf");

---

log / log_error

Print text to AxScript Console.

void ax.log(string text);
void ax.log_error(string text);

Example

ax.log("log");
ax.log_error("log");

---

open_agent_console

Open the console to interact with a agent

void ax.open_agent_console(string id);

• id - agent ID

---

open_access_tunnel

Open the tunnel creation dialog window

void ax.open_access_tunnel(string id, bool socks4, bool socks5, bool lportfwd, bool rportfwd);

• id - agent ID

• socks4 - is agent support socks4

• socks5 - is agent support socks5

• lportfwd - is agent support local port forwarding

• rportfwd - is agent support reverse port forwarding

Example

ax.open_access_tunnel("47ca27cf", true, true, false, false);

---

open_browser_files

Open the File Browser for a agent

void ax.open_browser_files(string id);

• id - agent ID

---

open_browser_process

Open the Process Browser for a agent

void ax.open_browser_process(string id);

• id - agent ID

---

open_remote_terminal

Open the Interactive Terminal for a agent

void ax.open_remote_terminal(string id);

• id - agent ID

---

open_remote_shell

Open the I/O remote shell for a agent

void ax.open_remote_shell(string id);

• id - agent ID

---

prompt_confirm

Show a confirm dialog.

string prompt_confirm(string caption, string text);

• caption - title of the dialog

• text - Text question

Example

ax.prompt_confirm(" ", "Exit main windows?");

---

prompt_open_file

Show a file open dialog.

string prompt_open_file(string caption = "Select file", string filter = "");

• caption - title of the dialog

• filter - filter for selecting files

Example

ax.prompt_open_file("Select AxScript", "AxScript Files (*.axs)");

---

prompt_open_dir

Show a directory open dialog.

string prompt_open_dir(string caption = "Select directory");

• caption - title of the dialog

Example

ax.prompt_open_dir("Open directory");

---

prompt_save_file

Show a file save dialog.

string prompt_save_file(string filename, string caption = "Select file", string filter = "");

• filename - default filename

• caption - title of the dialog

• filter - filter for selecting files

Example

ax.prompt_save_file("/tmp/creds.txt", "Save file");

---

random_string

Generates a random string of length len from a set of characters set.

string random_string(int len, string set);

• set - set of characters (alphanumeric, alphabetic, numeric or hex)

Example

ax.random_string(10, "hex")
ax.random_string(36, "alphanumeric")

---

random_int

Generates a random int value.

int random_int(int min, int max);

• min - min value

• max - max value

Example

ax.random_int(2, 1024)

---

register_commands_group

See here

---

script_import

Import AxScript script into current script's env.

string script_import(string path);

• path - path to script file

---

script_load

Load a new script to AxScript Manager

string script_load(string path);

• path - path to script file

---

script_unload

Unload a script from the AxScript Manager

string script_unload(string path);

• path - path to script file

---

script_dir

Returns the directory where the script is located.

string script_dir();

---

show_message

Shows a message to the user in a dialog box. Use this function to relay information.

void show_message(string title, string text);

• title - title of the dialog

• text - the message text

Example

ax.show_message("Info", "This is text");

---

targets_add

Save the specified target in Targets Manager

void ax.targets_add(string computer, string domain, string address, string os = "unknown", string osDesc = "", string tag = "", string info = "", bool alive = true);

• computer - computer name

• domain - domain name

• address - IP address

• os - OS type (possible "windows", "linux", "macos")

• osDesc - detailed information about OS

• tag - tag

• info - info

• alive - true if the host is alive

Example

ax.targets_add("DC", "dom.local", "dom.local", "192.168.1.10", "windows");

---

targets_add_list

Save a list of targets in the Targets Manager

void ax.targets_add_list(target[] array);

// target STRUCT
string target.computer
string target.domain
string target.address
string target.tag
string target.info
string target.os_desc
string target.os            ["windows", "linux", "macos"]
bool   target.alive

Example

var obj = {};
obj.computer = "DC";
obj.domain = "DOM.LOCAL";
obj.os_desc = "Windows Server 2019";
obj.os = "windows";
obj.alive = true;
obj.tag = "";
obj.info = "from axscript";

var arr = [];
arr.push(obj);

ax.targets_add_list(arr);

---

ticks

UNIX Epoch Time value

int ticks();

---

validate_command

Checks the validity of the entered command and returns full information

cmd_info ax.validate_command(string id, string command);

• id - agent ID

• command - agents command

// cmd_info STRUCT
bool   info["valid"]
string info["message"]
bool   info["is_pre_hook"]
bool   info["has_output"]
bool   info["has_post_hook"]
map{}  info["parsed"]

Example

let cmd = ax.validate_command("551757de", "socks start 1080");
cmd.valid

let cmd = ax.validate_command("551757de", "socks start");
cmd.message

---