Agenda ransomware Rust variant command-line arguments as of February 2024

--impersonate --> impersonate tokens
--safe → execute in safe mode
--no-local --> no local encryption
--no-domain --> no domain encryption
--no-network --> no network encryption
--no-ef --> no extension filter 
--no-ff --> no file filter
--no-df --> no directory filter
--no-proc --> no process termination
--no-services --> no service termination
--no-vm --> no terminating VM machines
--kill-cluster --> disables VM clusters
--no-extension --> no extension appended
--no-wallpaper --> no wallpaper modification
--no-note --> no ransom note dropping
--no-delete --> don’t delete directories
--no-destruct --> no deleting itself
--no-zero 
--print-image --> print ransomnote
--print-delay --> delay printing for n seconds
--force
--spread -> copy via psexec
--debug --> debug mode
--spread-vcenter --> propagate in vCenter and ESXi, requires inputting credentials and ESXi binary, and esxi binary flag (optional, default is --password {password} --path /vmfs/volumes/ -y). Uses a custom powershell script to propagate.
--no-sandbox --> disable sandbox detection
--escalated --> escalated privileges
--parent-sid --> specify SID
--spread-process --> Executed to spread and execute the sample
--no-escalate --> no escalating privileges
--timer --> delay execution by specified timer
--dry-run --> dry run
No-priority - no priority encryption
No-admin - disable admin check
No-mounted - do not encrypt mounted shares
no-logs - disable file logging
Fde --> Full disk encryption
-host_exclusions
-enable_sandbox_detection
-no_escalate
--impersonate_account
--run_in_safe_mode
--no_priority
--should_be_admin
--encrypt_local_computer
--encrypt_mounted_shares
--encrypt_domain_area
--encrypt_network_area
--enable_extension_filter
--enable_file_filter
--enable_dir_filter
--enable_autostart
--enable_process_killer
--enable_service_killer
--enable_vm_killer
--enable_cluster_killer
--with_extension
--no_wallpaper
--is_note
--is_destruct
--is_zeroing
--no_logs
--is_fde
--is_spreading
--is_spreading_vcenter
--is_dry_run
--collect_logs