03d283cf49
This commit renames the Apollo payload type to Ares, moving all associated files and updating documentation accordingly. The change includes: - Renaming directories from `apollo` to `ares` - Updating documentation image references - Maintaining the same code functionality while changing the payload name - Adding new Ares-specific documentation files - Removing old Apollo documentation files The rename is done to reflect the new payload name while preserving all existing functionality.
1.4 KiB
+++ title = "execute_coff" chapter = false weight = 103 hidden = false +++
Summary
Execute a Beacon Object File (BOF) with the specified arguments. This object file must first be cached in the agent using the register_coff command before being executed.
The RunOF.dll ia now automatically obtained from mythic if Apollo does not have it loaded in its file store already.
Arguments
Object File
The name of the object file to execute. This must match the file name used with register_file or register_coff.
Function
Function of the object file to call, usually 'go'.
TimeOut
Maximum time (in seconds) that the object file should run.
Arguments (optional)
Arguments to pass to the function, using the following format:
-s:123 or int16:123 -i:123 or int32:123 -z:hello or string:hello -Z:hello or wchar:hello -b:abc== or base64:abc==
Usage
execute_coff -Coff [coff_name] -Function [go] -Timeout [30] [-Arguments [arguments]]
Example
execute_coff -Coff dir.x64.o -Function go -Timeout 30 -Arguments wchar:C:\\
MITRE ATT&CK Mapping
- T1027
Detailed Summary
The execute_coff command uses a Object File loader to execute object files within a new thread and returning output back to the agent using the implementation of Beacon functions.