Skip to content

add BOF: clipboard, wifi, ghost_task and sc_bof#136

Open
DarksBlackSk wants to merge 1 commit intoAdaptix-Framework:devfrom
DarksBlackSk:dev
Open

add BOF: clipboard, wifi, ghost_task and sc_bof#136
DarksBlackSk wants to merge 1 commit intoAdaptix-Framework:devfrom
DarksBlackSk:dev

Conversation

@DarksBlackSk
Copy link
Copy Markdown

@DarksBlackSk DarksBlackSk commented Apr 8, 2026

new BOF: WiFi | Clipboard | sc_bof | ghost_task

image image image

BOF WIFI:

  • This BOF enumerates saved WiFi networks, extracts credentials, and also authenticates against a WPA2-PSK network.

beacon » help wifi

  Command               : wifi
  Description           : WiFi enumeration, dump & authentication via WLAN API.
  Example               : wifi enum | wifi dump "NetworkName" | wifi auth "NetworkName" "password"

  SubCommand                Description
  ----------                -----------
  enum                      List WiFi profiles saved on the system. [NOISE: low]
  dump                      Retrieve the plaintext password from a saved WiFi profile. [NOISE: low]
  auth                      Connect to a WPA2-PSK network by registering a profile and calling WlanConnect. [NOISE: medium]

+-------------------------------------------------------------------------------------+

beacon » help wifi enum
  Command               : wifi enum
  Description           : List WiFi profiles saved on the system. [NOISE: low]
  Example               : wifi enum

+-------------------------------------------------------------------------------------+

beacon » help wifi dump
  Command               : wifi dump
  Description           : Retrieve the plaintext password from a saved WiFi profile. [NOISE: low]
  Example               : wifi dump "NetworkName"
  Usage                 : wifi dump <profile>

  Arguments:
    <profile>  : STRING.   Exact WiFi profile name (case-sensitive)

+-------------------------------------------------------------------------------------+

beacon » help wifi auth
  Command               : wifi auth
  Description           : Connect to a WPA2-PSK network by registering a profile and calling WlanConnect. [NOISE: medium]
  Example               : wifi auth "NetworkName" "password"
  Usage                 : wifi auth <ssid> <password>

  Arguments:
    <ssid>      : STRING.   Target network SSID (case-sensitive)
    <password>  : STRING.   WPA2-PSK password (minimum 8 characters)

+-------------------------------------------------------------------------------------+
image image image

BOF CLIPBOARD:

  • This BOF extracts the clipboard.
beacon » help clipboard

  Command               : clipboard
  Description           : Read the current system clipboard contents [NOISE: low]
  Example               : clipboard

+-------------------------------------------------------------------------------------+
image

BOF SC_BOF

This BOF allows you to list (svc_list), query (svc_query), create (svc_create), delete (svc_delete) , start (svc_start), and stop (svc_stop) services both locally and remotely.


beacon » help svc_list

  Command               : svc_list
  Description           : List all services (local or remote).
  Example               : svc_list | svc_list -c 192.168.1.10 | svc_list -f driver
  Usage                 : svc_list [-c computer] [-f filter]

  Arguments:
    [-c computer]  : STRING.   (default: 'localhost'). Remote computer (skip = localhost)
    [-f filter]    : STRING.   (default: 'all'). Filter: all | win32 | driver

+-------------------------------------------------------------------------------------+

beacon » help svc_query

  Command               : svc_query
  Description           : Check the status and configuration of a service.
  Example               : svc_query -n WinDefend | svc_query -n Spooler -c 192.168.1.10
  Usage                 : svc_query <-n svcname> [-c computer]

  Arguments:
    <-n svcname>   : STRING.   Service name
    [-c computer]  : STRING.   (default: 'localhost'). Remote machine (skip = localhost)

+-------------------------------------------------------------------------------------+

beacon » help svc_create

  Command               : svc_create
  Description           : Create a new service (Win32 or kernel driver).
  Example               : svc_create -n MySvc -p C:\\path\\svc.exe -t win32 -s auto | svc_create -n MyDrv -p C:\\path\\drv.sys -t driver -s demand
  Usage                 : svc_create <-n svcname> <-p binpath> [-d dispname] [-t svctype] [-s starttype] [-c computer]

  Arguments:
    <-n svcname>    : STRING.   Service internal name
    <-p binpath>    : STRING.   Path to the executable or .sys file
    [-d dispname]   : STRING.   (default: ''). Display name (optional)
    [-t svctype]    : STRING.   (default: 'win32'). Type: win32 | driver
    [-s starttype]  : STRING.   (default: 'demand'). Start: auto | demand | disabled | boot | system
    [-c computer]   : STRING.   (default: 'localhost'). Remote machine (skip = localhost)

+-------------------------------------------------------------------------------------+

beacon » help svc_delete

  Command               : svc_delete
  Description           : Remove a service (stops it first if running).
  Example               : svc_delete -n MySvc | svc_delete -n MySvc -c 192.168.1.10
  Usage                 : svc_delete <-n svcname> [-c computer]

  Arguments:
    <-n svcname>   : STRING.   Service name
    [-c computer]  : STRING.   (default: 'localhost'). Remote machine (skip = localhost)

+-------------------------------------------------------------------------------------+

beacon » help svc_start

  Command               : svc_start
  Description           : Start a service and wait for RUNNING confirmation.
  Example               : svc_start -n Spooler | svc_start -n MySvc -c 192.168.1.10
  Usage                 : svc_start <-n svcname> [-c computer]

  Arguments:
    <-n svcname>   : STRING.   Service name
    [-c computer]  : STRING.   (default: 'localhost'). Remote machine (skip = localhost)

+-------------------------------------------------------------------------------------+

beacon » help svc_stop

  Command               : svc_stop
  Description           : Stop a service and wait for STOPPED confirmation.
  Example               : svc_stop -n Spooler | svc_stop -n MySvc -c 192.168.1.10
  Usage                 : svc_stop <-n svcname> [-c computer]

  Arguments:
    <-n svcname>   : STRING.   Service name
    [-c computer]  : STRING.   (default: 'localhost'). Remote machine (skip = localhost)

+-------------------------------------------------------------------------------------+

local and remote examples

image image

BOF ghost_task

Creates and deletes Windows scheduled tasks directly in the registry, without using the Task Scheduler API (COM/RPC). This avoids generating audit events 4698 (task created) and 4699 (task deleted).

Requirements: Target local: The agent must run in SYSTEM context.

The task is written to the registry, but the Task Scheduler service (Schedule) needs to be restarted in order to load it. This is inherent to the ghost task technique.


beacon » help ghost_task_add

  Command               : ghost_task_add
  Description           : Create a ghost scheduled task via registry (requires SYSTEM).
  Example               : ghost_task_add -n TaskName -p C:\\Windows\\System32\\cmd.exe -a "/c whoami" -s second -t 30 | ghost_task_add -n TaskName -p C:\\payload.exe -s daily -t 22:30 -u SYSTEM | ghost_task_add -n TaskName -p C:\\payload.exe -s weekly -t 09:00 -d monday,friday
  Usage                 : ghost_task_add <-n taskname> <-p program> <-s stype> [-t time] [-u username] [-a argument] [-d days]

  Arguments:
    <-n taskname>  : STRING.   Scheduled task name
    <-p program>   : STRING.   Executable path
    <-s stype>     : STRING.   Trigger: second | daily | weekly | logon
    [-t time]      : STRING.   (default: '0'). HH:MM (daily/weekly) or N seconds (second)
    [-u username]  : STRING.   (default: 'SYSTEM'). User to run the task as
    [-a argument]  : STRING.   (default: ''). Arguments for the executable
    [-d days]      : STRING.   (default: 'monday'). Days for weekly trigger (ex: monday,friday)

+-------------------------------------------------------------------------------------+

beacon » help ghost_task_delete

  Command               : ghost_task_delete
  Description           : Delete a ghost scheduled task from the registry (requires SYSTEM). [NOISE: low]
  Example               : ghost_task_delete -n TaskName
  Usage                 : ghost_task_delete <-n taskname>

  Arguments:
    <-n taskname>  : STRING.   Name of the task to delete

+-------------------------------------------------------------------------------------+

Examples:

image image image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DarksBlackSk