Skip to main content
Artifacts Generated: Process Create, Process Inject, Process Kill

Summary

Execute a statically compiled PE file (e.g., compiled with /MT) with the specified arguments. This PE must first be cached in the agent using the register_file command before being executed.
Executables must be compiled for the architecture of the machine. e.g., if Apollo is running on a 64-bit machine, compile the executable for x64.
This is based on the work put forward by Nettitude’s RunPE project with modifications.

Arguments

exepe

PE

The name of the assembly to execute. This must match the file name used with register_file.

Arguments (optional)

Arguments to pass to the assembly.

Usage

execute_pe -PE [pe_name] -Arguments [arguments]
execute_pe [pe_name] [arguments]
Example 
execute_pe -PE SpoolSample.exe -Arguments "127.0.0.1 127.0.0.1"
execute_pe SpoolSample.exe 127.0.0.1 127.0.0.1

MITRE ATT&CK Mapping

  • T1547

Resources