Table of Contents

Description

Blocks until a new implant session registers on the server and returns the session details. Optionally filter by IP address substring or username substring. Use this after deploying a payload to wait for the callback before issuing follow-on tasks.

Waits for a new implant session to call back. Uses real-time SignalR event notifications — no polling.

Sessions that already existed when the tool was called are excluded, so only genuine new registrations resolve the wait.
IpFilter and UsernameFilter are substring matches. UsernameFilter is case-insensitive.
Timeout is in milliseconds; default is 300000 (5 minutes).

Example — Wait for Any Session

{
  "function_call": {
    "name": "SessionsWait",
    "arguments": {}
  }
}

Example — Filter by IP Subnet

{
  "function_call": {
    "name": "SessionsWait",
    "arguments": {
      "IpFilter": "192.168.1.",
      "Timeout": 600000
    }
  }
}

Example Output

New session registered:

SessionId:    a1b2c3d4-...
IP:           10.10.1.55
Username:     CORP\jsmith
FQDN:         WS-01.corp.local
OS:           Windows 10
Architecture: x64
Nickname:     implant.exe

Description

Example — Wait for Any Session

Example — Filter by IP Subnet

Example Output

Share this: