The Post Exploitation Module

Tools in the module

We have taken the approach of decoupling tools from the main beacon for numerous reasons, including our long terms plans for extended logical attacks against XDRs, and MDR teams. Read more about our approach in the link below:

We also seek to break down these following actions to be contained in the post-exploitation modules rather than the beacon process itself, so that we can break down these actions into numerous components on numerous hosts eventually:

We will outline our further plans and development pipeline here in due course.

We have implemented six tools so far - those we believe have most utility for rapid Red Team domain escalation and bee-lining to target systems - into our first Post Exploitation module which is also uniquely generated each deployment via the API, and can be named, and deployed into any folder.

Bypass cabalities

The post-exploitation module is similar to the implants, in that it is also generated using an alpha version of the MalwareGAN but will be incorporating much more to come around dynamic evasions both against single systems, both off a single host, to also more complex attacks using multiple deployed modules on seperate hosts working in parallel to evade numerous automated and human threat hunting tools, NDRs, XDRs and MDR teams.

Endpoint Detection & Response

EDRBypass StaticallyBypass Dynamically

E5 Defender

in Progress

Sophos EDR




Anomaly Detection Systems and Extended Detection & Response

TechnologyBypass Detection

E5 Sentinel

in Progress


in Progress


in Progress


To deploy the post expolitation module, use the deploy module -d PATH_TO_DEPLOY

After the module is deployed, you can use the tools inside it with their own commands.

To determine the location set for the module in the agent, use the

get module path command.

If you already have a module deployed on the victim's computer, then use the

set module path -d MODULE_PATH command to instruct the agent on where to locate the module.

Last updated