03d283cf49
This commit renames the Apollo payload type to Ares, moving all associated files and updating documentation accordingly. The change includes: - Renaming directories from `apollo` to `ares` - Updating documentation image references - Maintaining the same code functionality while changing the payload name - Adding new Ares-specific documentation files - Removing old Apollo documentation files The rename is done to reflect the new payload name while preserving all existing functionality.
1.5 KiB
+++ title = "execute_assembly" chapter = false weight = 103 hidden = false +++
{{% notice info %}} Artifacts Generated: Process Create, Process Inject, Process Kill {{% /notice %}}
Summary
Execute a .NET Framework assembly with the specified arguments. This assembly must first be cached in the agent using the register_assembly command before being executed.
Arguments
Assembly
The name of the assembly to execute. This must match the file name used with register_file.
Arguments (optional)
Arguments to pass to the assembly.
Usage
execute_assembly -Assembly [assembly_name] -Arguments [arguments]
execute_assembly [assembly_name] [arguments]
Example
execute_assembly SeatBelt.exe --groups=all
MITRE ATT&CK Mapping
- T1547
Detailed Summary
The execute_assembly command uses a .NET Common Language Runtime loader to execute assemblies within a sacrificial process and return output over a named pipe back to the agent. This loader is injected into a sacrificial process (specified by the spawnto_* commands) and passes the assembly's bytes over a named pipe, which is then loaded reflectively using System.Reflection.Assembly.Load. This assembly is then invoked and passed any passed arguments while streaming data over the named pipe.
This creates a new artifact relating to the sacrificial process spawned, which can be viewed in the artifacts page.