Skip to main content
Artifacts Generated: Process Create, Process Inject, Process Kill

Summary

Execute a .NET Framework assembly with the specified arguments. This assembly must first be cached in the agent using the register_assembly command before being executed.

Arguments

exeasm

Assembly

The name of the assembly to execute. This must match the file name used with register_file.

Arguments (optional)

Arguments to pass to the assembly.

Usage

execute_assembly -Assembly [assembly_name] -Arguments [arguments]
execute_assembly [assembly_name] [arguments]
Example 
execute_assembly SeatBelt.exe --groups=all

MITRE ATT&CK Mapping

  • T1547

Detailed Summary

The execute_assembly command uses a .NET Common Language Runtime loader to execute assemblies within a sacrificial process and return output over a named pipe back to the agent. This loader is injected into a sacrificial process (specified by the spawnto_* commands) and passes the assembly’s bytes over a named pipe, which is then loaded reflectively using System.Reflection.Assembly.Load. This assembly is then invoked and passed any passed arguments while streaming data over the named pipe. This creates a new artifact relating to the sacrificial process spawned, which can be viewed in the artifacts page.

Resources