Beacon Commands¶
Stentor provides 120+ beacon commands organized into 7 categories. Commands are executed via the operator console (cockpit shell) or programmatically via the REST API. Every command follows the same execution flow: operator input is parsed by the backend, translated into a task, queued for the beacon, forwarded through the relay, and executed on the target.
Command Flow¶
sequenceDiagram
participant Op as Operator
participant BE as Backend
participant TQ as Task Queue
participant RL as Relay
participant BC as Beacon
participant Mod as Module
Op->>BE: Shell command or API call
BE->>TQ: Parse & enqueue task
Note over TQ: Task waits for<br>beacon poll
BC->>RL: Check-in (poll for tasks)
RL->>TQ: Fetch pending tasks
TQ-->>RL: Return task(s)
RL-->>BC: Deliver task(s)
BC->>Mod: Execute module
Mod-->>BC: Return result
BC->>RL: Submit result on next check-in
RL->>BE: Forward result
BE-->>Op: Display in console / API responseCommands are asynchronous -- the operator receives a task ID immediately, and results arrive when the beacon checks in next. Use checkin to force an immediate poll cycle.
Sections¶
| Section | Commands | Description |
|---|---|---|
| File Operations | 12 | Upload, download, list, copy, move, delete, and read files on the target filesystem |
| Process Management | 15+ | List, spawn, inject, kill, and manipulate processes and tokens |
| Network | 8 | Port scanning, SOCKS proxy, port forwarding, pivoting, and covert VPN |
| Evasion | 15+ | Sleep masking, PPID spoofing, blockdlls, syscall methods, and BeaconGate |
| Clipboard | 3 | One-shot clipboard read and continuous clipboard change monitoring |
| Token Store | 10+ | Persistent token management, steal/store/switch/remove across identities |
| LDAP Browser | 3 | Execute LDAP queries through beacons with pre-built AD reconnaissance templates |
| BOF Execution | 5 | Upload, manage, and execute Beacon Object Files with typed argument packing |
| Session Management | 15 | Spawn sessions, P2P linking, beacon configuration, and exit strategies |
| Beacon Grouping | -- | Create named groups, assign beacons, save filter presets, execute group-wide batch operations |
Quick Reference¶
The most commonly used commands across all categories. For full syntax and examples, see each section page.
File Operations¶
| Command | Syntax | Description |
|---|---|---|
shell | shell <command> | Execute a command via cmd.exe /c |
upload | upload <local_path> [remote_path] | Upload a file to the target |
download | download <remote_path> | Download a file from the target |
ls | ls [path] | List directory contents |
rm | rm <path> | Delete a file |
cp | cp <src> <dst> | Copy a file |
mv | mv <src> <dst> | Move/rename a file |
mkdir | mkdir <path> | Create a directory |
drives | drives | List available drives |
Process Management¶
| Command | Syntax | Description |
|---|---|---|
ps | ps | List running processes |
execute-assembly | execute-assembly <path> [args] | Execute a .NET assembly in-memory |
shinject | shinject <pid> <arch> <shellcode_path> | Inject raw shellcode into a process |
dllinject | dllinject <pid> <dll_path> | Inject a DLL into a process via reflective loading |
shspawn | shspawn <arch> <shellcode_path> | Spawn sacrificial process and inject shellcode |
getsystem | getsystem [technique] | Elevate to SYSTEM via named pipe impersonation |
elevate | elevate <technique> <listener> | UAC bypass to spawn elevated beacon |
getprivs | getprivs | List current process privileges |
runas | runas <DOMAIN\user> <password> <command> | Run a command as another user |
Network¶
| Command | Syntax | Description |
|---|---|---|
socks | socks <port> | Start a SOCKS4a/5 proxy |
rportfwd | rportfwd <bind_port> <fwd_host> <fwd_port> | Reverse port forward |
rportfwd_local | rportfwd_local <bind_port> <fwd_host> <fwd_port> | Reverse port forward (local relay) |
covertvpn | covertvpn <interface> <ip/mask> | Create a covert VPN tunnel |
browserpivot | browserpivot <pid> <arch> | Browser pivot via proxy injection |
portscan | portscan <targets> <ports> <method> | Scan ports on target hosts |
Evasion¶
| Command | Syntax | Description |
|---|---|---|
sleep | sleep <seconds> [jitter%] | Set beacon callback interval |
mode | mode <dns\|dns6\|dns-txt> | Switch DNS data channel mode |
spawnto | spawnto <x86\|x64> <path> | Set sacrificial process for post-ex |
blockdlls | blockdlls <start\|stop> | Block non-Microsoft DLLs in child processes |
ppid | ppid <pid> | Set parent PID for spoofing |
Session Management¶
| Command | Syntax | Description |
|---|---|---|
spawn | spawn [x86\|x64] <listener> | Spawn a new beacon session |
spawnas | spawnas <DOMAIN\user> <password> <listener> | Spawn beacon as another user |
inject | inject <pid> <x86\|x64> <listener> | Inject beacon into existing process |
link | link <host> [pipe_name] | Link to SMB named pipe beacon |
connect | connect <host> <port> | Connect to TCP bind beacon |
unlink | unlink <child_beacon_id> | Disconnect a linked child beacon |
note | note <text> | Add a label to the beacon session |
exit | exit | Terminate the beacon process |
API Usage¶
All beacon commands can be invoked programmatically via the REST API:
Request body:
The confirmed field acknowledges potentially destructive commands (e.g., exit, clear, process injection). The API returns a task ID immediately; poll for results via WebSocket or the task results endpoint.
Example:
curl -s -X POST "https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"command": "ps", "confirmed": true}'
For dedicated REST endpoints (sleep, exit, evasion toggles), see the individual command pages and the API Reference section.