Skip to content

add BOF: ghost_task | sc_bof | clipboard | wifi | kerbeus monitor#143

Open
Loki-rt wants to merge 6 commits into
Adaptix-Framework:devfrom
Loki-rt:dev
Open

add BOF: ghost_task | sc_bof | clipboard | wifi | kerbeus monitor#143
Loki-rt wants to merge 6 commits into
Adaptix-Framework:devfrom
Loki-rt:dev

Conversation

@Loki-rt
Copy link
Copy Markdown

@Loki-rt Loki-rt commented May 21, 2026
edited
Loading

BOF

ghost_task

  • Creates and deletes Windows scheduled tasks directly in the registry, without using the Task Scheduler API (COM/RPC). This avoids generating audit events 4698 (task created) and 4699 (task deleted), Or simply wait for the next system reboot.
image

Uso

# Daily task at 10:30 PM, run cmd.exe as SYSTEM on localhost
ghost_task add -n Task1 -p C:\Windows\System32\cmd.exe -a "/c whoami > C:\out.txt" -u SYSTEM -s daily -t 22:30

# Task that runs every 60 seconds
ghost_task add -n Task2 -p C:\Windows\System32\calc.exe -a "" -u SYSTEM -s second -t 60

# Task scheduled for Mondays and Fridays at 09:00
ghost_task add -n Task3 -p C:\ruta\payload.exe -a "" -u SYSTEM -s weekly -t 09:00 -d monday,friday

# Task upon user logon
ghost_task add -n Task4 -p C:\ruta\payload.exe -a "" -u Administrator -s logon

example

image image

sc_bof

A series of BOFs for interacting with the Service Control Manager (SCM):

  • svc_list
  • svc_query
  • svc_create
  • svc_delete
  • svc_start
  • svc_stop

Uso

svc_list

  Command               : svc_list
  Description           : List all services (local or remote).
  Example               : svc_list | svc_list -c 192.168.1.10 | svc_list -f driver
  Usage                 : svc_list [-c computer] [-f filter]

  Arguments:
    [-c computer]  : STRING.   (default: 'localhost'). Remote computer (skip = localhost)
    [-f filter]    : STRING.   (default: 'all'). Filter: all | win32 | driver

svc_query

  Command               : svc_query
  Description           : Check the status and configuration of a service.
  Example               : svc_query -n WinDefend | svc_query -n Spooler -c 192.168.1.10
  Usage                 : svc_query <-n svcname> [-c computer]

  Arguments:
    <-n svcname>   : STRING.   Service name
    [-c computer]  : STRING.   (default: 'localhost'). Remote machine (skip = localhost)


svc_create

  Command               : svc_create
  Description           : Create a new service (Win32 or kernel driver).
  Example               : svc_create -n MySvc -p C:\\path\\svc.exe -t win32 -s auto | svc_create -n MyDrv -p C:\\path\\drv.sys -t driver -s demand
  Usage                 : svc_create <-n svcname> <-p binpath> [-d dispname] [-t svctype] [-s starttype] [-c computer]

  Arguments:
    <-n svcname>    : STRING.   Service internal name
    <-p binpath>    : STRING.   Path to the executable or .sys file
    [-d dispname]   : STRING.   (default: ''). Display name (optional)
    [-t svctype]    : STRING.   (default: 'win32'). Type: win32 | driver
    [-s starttype]  : STRING.   (default: 'demand'). Start: auto | demand | disabled | boot | system
    [-c computer]   : STRING.   (default: 'localhost'). Remote machine (skip = localhost)

svc_delete

  Command               : svc_delete
  Description           : Remove a service (stops it first if running).
  Example               : svc_delete -n MySvc | svc_delete -n MySvc -c 192.168.1.10
  Usage                 : svc_delete <-n svcname> [-c computer]

  Arguments:
    <-n svcname>   : STRING.   Service name
    [-c computer]  : STRING.   (default: 'localhost'). Remote machine (skip = localhost)

svc_start

  Command               : svc_start
  Description           : Start a service and wait for RUNNING confirmation.
  Example               : svc_start -n Spooler | svc_start -n MySvc -c 192.168.1.10
  Usage                 : svc_start <-n svcname> [-c computer]

  Arguments:
    <-n svcname>   : STRING.   Service name
    [-c computer]  : STRING.   (default: 'localhost'). Remote machine (skip = localhost)


svc_stop

  Command               : svc_stop
  Description           : Stop a service and wait for STOPPED confirmation.
  Example               : svc_stop -n Spooler | svc_stop -n MySvc -c 192.168.1.10
  Usage                 : svc_stop <-n svcname> [-c computer]

  Arguments:
    <-n svcname>   : STRING.   Service name
    [-c computer]  : STRING.   (default: 'localhost'). Remote machine (skip = localhost)

example

image

Here I’m also taking the opportunity to demonstrate that the scheduled task created with the ghost_task BOF works.

image

clipboard

  • BOF to extract clipboard contents
clipboard

  Command               : clipboard
  Description           : Read the current system clipboard contents [NOISE: low]
  Example               : clipboard
image

wifi

  • This BOF can enumerate saved WiFi networks, extract credentials from saved WiFi networks, and also authenticate against a WiFi network.

Uso

wifi

  Command               : wifi
  Description           : WiFi enumeration, dump & authentication via WLAN API.
  Example               : wifi enum | wifi dump "NetworkName" | wifi auth "NetworkName" "password"

  SubCommand                Description
  ----------                -----------
  enum                      List WiFi profiles saved on the system. [NOISE: low]
  dump                      Retrieve the plaintext password from a saved WiFi profile. [NOISE: low]
  auth                      Connect to a WPA2-PSK network by registering a profile and calling WlanConnect. [NOISE: medium]

wifi enum
  Command               : wifi enum
  Description           : List WiFi profiles saved on the system. [NOISE: low]
  Example               : wifi enum

wifi dump
[-] Missing required argument: profile

  Usage: wifi dump <profile>

  Arguments:
    <profile>  : STRING.   Exact WiFi profile name (case-sensitive)

wifi auth
  Command               : wifi auth
  Description           : Connect to a WPA2-PSK network by registering a profile and calling WlanConnect. [NOISE: medium]
  Example               : wifi auth "NetworkName" "password"
  Usage                 : wifi auth <ssid> <password>

  Arguments:
    <ssid>      : STRING.   Target network SSID (case-sensitive)
    <password>  : STRING.   WPA2-PSK password (minimum 8 characters)

Example

  • WiFi network enumeration
image
  • Extraction of WiFi network credentials.
image
  • Authentication to a WiFi network.

Without a connection to a WiFi network

image

Now we connect to a WiFi network.

image

We verify the connection.

image

kerbeus monitor

async BOF

kerbeus monitor
  Command               : kerbeus monitor
  Description           : Monitor Kerberos cache for new TGTs and extract them automatically
  Example               : kerbeus monitor /interval:30
  Usage                 : kerbeus monitor [params]

  Arguments:
    [params]  : STRING.  .- (default: ''). Args: [/interval:SECONDS] (defaults: interval=30)

Example

image

@Loki-rt Loki-rt changed the title add BOF: add BOF: ghost_task | sc_bof | clipboard | wifi | kerbeus monitor May 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Loki-rt