Module Catalog

Agent health check — version, sessions, loaded modules, background jobs

Gracefully stops the agent and disconnects from C2

Lists all modules with metadata; filterable by category or name

Shows all active background job (runspace) statuses

Terminates a specific background job by ID

Emergency cleanup: temp files, background jobs, disconnect

P2P agent relay over Named Pipe for internet-less internal agents

Downloads and reloads changed modules from server (SHA-256 diff)

Restarts agent in a fresh PS session, auto-reconnects to C2

Exfiltrates data via ICMP echo request payloads where TCP/UDP is blocked

Collects files by pattern into an in-memory ZIP archive (max 1 GB)

Downloads multiple files matching glob patterns at once

Retrieves current Windows clipboard — no disk or event log trace

Collects browsing history, bookmarks and URLs from all installed browsers

In-memory keylogger using Win32 input API; no disk writes

Reads emails and attachments from Outlook COM or .ost/.pst files

Finds and reads NTFS Alternate Data Streams (hidden files/metadata)

Reads locked/protected files (SAM, NTDS.dit) via VSS shadow copies

Extracts messages, files and auth tokens from Teams LevelDB cache

Streams a file or full directory to the C2 server with gzip+HTTP/2

Exfiltrates data in DNS TXT record queries (base64 chunks)

Full browser loot: passwords, cookies, history, autofill, cards, extensions

Takes PNG screenshot of all monitors and downloads to C2

Uploads a file from C2 server inbox to the agent target path

Fake update popup (Windows/Adobe/Chrome) captures admin creds via social engineering

Reads Chrome session cookies directly from process memory via ReadProcessMemory

AS-REP Roasting: finds accounts without Kerberos pre-auth, extracts crackable hashes

Harvests Azure AD/M365 OAuth tokens from az cli, PS Az, Teams, WAM, .NET user-secrets

Saved logins from all major browsers — DPAPI + AES-GCM v10/v20 decryption

Full Windows certificate store audit; exports certs with private keys (PFX)

Unified cloud credential harvester: AWS, Azure, GCP, Terraform, Docker, K8s, GitHub CLI

Finds code signing and EV/driver certificates with exportable private keys

Decrypts DPAPI-protected blobs for Chrome, Edge, IE, RDP Manager, Credential Store

Extracts IIS app pool identities and web.config secrets (connection strings, API keys)

Finds KeePass databases; memory-scans running KeePass for master key material

Requests TGS tickets for SPN accounts; exports hashcat-compatible $krb5tgs$ hashes

Extracts LSA secrets: service account passwords, DefaultPassword, NL$KM, DPAPI_SYSTEM

Creates LSASS memory dump via MiniDumpWriteDump or PssCaptureSnapshot

Extracts NTDS.dit from DC via VSS or ntdsutil for full domain hash dump

Collects SSH private keys, PuTTY sessions, WinSCP and FileZilla credentials

Enumerates and extracts all Windows Credential Manager (Vault) entries

Extracts Veeam Backup target credentials from SQL Express (DPAPI-decrypted)

Extracts WPA2-PSK passwords for all saved WiFi profiles in plaintext

Simplified WiFi credential harvester runnable without admin rights

Full AD enumeration via LDAP: users, groups, computers, DCs, GPOs, OUs

ADCS audit: finds all CAs, certificate templates and ESC1–ESC4 vulnerabilities

Finds all Kerberos delegation accounts: unconstrained, constrained, RBCD

Finds and decrypts GPP cpassword entries in SYSVOL (MS14-025)

AppLocker policy audit: enforced rules, bypass paths, WDAC/HVCI status

Lists all drives with type, free/total space and volume label

Lists all environment variables; finds API keys, tokens, proxy settings

Queries Windows Security/System/Application event logs; filterable by event ID

Enumerates GPOs and highlights security-relevant settings: scripts, drive maps

Comprehensive system info: OS, hardware, network, user, AV, patch level

Lists installed software from registry (name, version, publisher, date)

Checks for LAPS deployment; reads ms-Mcs-AdmPwd if read access is granted

Lists installed hotfixes and KB numbers; identifies missing security patches

Lists and modifies file/folder ACLs (DACL ACEs); takeown and grant ops

IP-based geolocation + Windows Location API for physical location estimation

Lists all running processes with PID, user, memory and command line

Shows RDP config: enabled, NLA, port, active sessions, Remote Desktop Users

Lists all scheduled tasks with status, trigger, command and run-as account

Quick security recon: AV/EDR, firewall, UAC level, Defender exclusions, quick wins

Lists all Windows services with status, startup type and run-as account

Enumerates active logged-in users via qwinsta and NetWkstaUserEnum WMI

LDAP SPN scan: finds user/computer accounts for Kerberoast and delegation abuse

Lists all auto-start entries: Run keys, Startup folders, WMI subscriptions, logon scripts

Shows current process token: SIDs, groups, privileges, integrity level

Lists local user accounts (last logon, password expiry) and group memberships

Current user context: SID, UPN, domain membership, Kerberos tickets, integrity level

Checks DCSync rights (DS-Replication-Get-Changes); lists all principals with replication permission

Clears forensic traces: PSReadLine, event log entries (4688/4103/4104), temp files, prefetch

Checks Windows Defender and all AV/EDR status; lists exclusions

Patches AmsiScanBuffer in current PS session memory to disable AMSI

Patches EtwEventWrite in ntdll.dll to suppress ETW telemetry from process

Spawns a new process with spoofed PPID via UpdateProcThreadAttribute

Detects sandbox environments: CPUID, VM artifacts, process count, user interaction

Disables PS Script Block Logging (Event 4104) via in-memory automation cache patch

XOR-encrypts agent memory during C2 sleep intervals to evade memory IOC scanners

Modifies NTFS timestamps to match a legitimate file or a set/random date

Detects VM environments: CPUID hypervisor bit, SMBIOS data, VM drivers

Evasion status dashboard: AMSI patch, ETW block, Script Block Logging state

Reflective .NET assembly loading and execution in memory via Assembly.Load()

Executes COFF x64 BOF files in memory with CS-compatible BeaconOutput API

Executes arbitrary PowerShell commands and returns output to C2

DCOM lateral movement via MMC20.Application, ShellBrowserWindow or ShellWindows

PSExec-style lateral movement: creates temp Windows service on target via SMB

Remote scheduled task creation for lateral movement; task deleted after execution

Fileless SMB service command chaining; no PE written to disk

WinRM/PS Remoting lateral movement via Invoke-Command

Injects shellcode into target process memory or fully migrates the agent

Spawns a detached hidden PowerShell process; fire-and-forget execution

Ransomware simulation (dry-run/live) with reversible RSA+AES hybrid encryption; tiers: full/large/smart

Changes the agent's current working directory

Lists directory contents with size, date, attributes and hidden files

Discovers mapped network drives, SMB mappings and UNC paths

Prints the agent's current working directory

Lists recently accessed files from Recent folder, MRU registry and Jump Lists

Recursive file search by name pattern or extension; --content for grep-style search

Displays directory tree with optional depth limit and size totals

Shows ARP table (IP-MAC pairs); --scan for active ARP scan of subnet

DNS server config, local cache contents, name resolution test and cache flush

DNS C2 channel: polls commands via TXT queries, exfiltrates via A record queries

Shows Windows Firewall profiles, all rules and open/blocked port summary

Detailed network interface config: IP, MAC, gateway, DNS, DHCP, type

RDP management: enable/disable, firewall rule, backdoor user, Restricted Admin, NLA

WinRM full toolkit: check, test, remote exec with alt credentials, /24 subnet scan

Lists active TCP/UDP connections and listening ports with process name

ICMP or TCP SYN subnet sweep; --tcp 445 for SMB-reachable targets

Port forwarding through agent to internal targets not reachable from C2

Fast TCP port scan; supports port list, top 20 or top 100 common ports

Pure-PS Responder: LLMNR/NBT-NS/mDNS poisoning to capture NTLMv2 hashes

Shows Windows routing table (IPv4/IPv6): destination, gateway, interface, metric

SMB Named Pipe C2 relay for agents in internet-isolated segments

Lists SMB shares on local or remote host; --access tests actual read access

Starts SOCKS5 proxy on target for proxychains/Burp/Metasploit tunneling

Remote command execution via WMI Win32.Process.Create (no SMB service creation)

Smart persistence manager: Run key, Startup folder, scheduled task (user); service + WMI (admin)

Registers LSA SSP DLL that loads into LSASS on every boot and intercepts cleartext creds

Creates auto-start Windows service (SYSTEM); supports service binary path hijacking

WMI event subscription persistence (startup/time/process/logon); undetectable by disk scans

UAC bypass via fodhelper.exe autoelevate (HKCU ms-settings shell hijack)

UAC bypass via cmstp.exe autoelevate binary (INF file execution)

Spawns process with spoofed parent PID via UpdateProcThreadAttribute API

PrivEsc scanner: UAC bypass applicability, vulnerable services, token privs, AlwaysInstallElevated

Exploits AlwaysInstallElevated to run commands as SYSTEM via MSI installer

Exploits SeBackupPrivilege to read any file without DACL check (SAM, NTDS.dit)

Migrates agent to another process via token steal or PPID-spoofed PS spawn

Named pipe impersonation: waits for privileged process to connect, steals its token

Potato-style SYSTEM token via SeImpersonatePrivilege + Named Pipe impersonation

Exploits SeRestorePrivilege to write any file without DACL check (service DLL swap)

Copies SAM/SYSTEM/SECURITY hives via reg.exe save for offline NTLM hash extraction

Service misconfiguration scanner: unquoted paths, writable binaries, weak registry ACLs

Lists process tokens; steals selected PID token to spawn commands in that context

Thread-level token impersonation from privileged processes; --user SYSTEM targeting

UAC bypass via computerdefaults.exe (ms-settings shell hijack, Win10/11)

UAC bypass via eventvwr.exe MSC file hijack (Win7–10 classic technique)

UAC bypass via sdclt.exe IsolatedCommand registry value (Win10)

UAC bypass via wsreset.exe (AppX shell command hijack, Win10 1803+/Win11)