jakobfriedl/logon-monitor-bof — explained in plain English
Analysis updated 2026-05-18
Monitor a target Windows machine for new login events during an authorized penetration test.
Report the username, domain, and session ID of any new login through a C2 agent.
Combine with Conquest's steal-token flag to capture an access token from a newly logged-in user.
| jakobfriedl/logon-monitor-bof | 0xazanul/fuzz-skill | lessica/unseen | |
|---|---|---|---|
| Stars | 31 | 31 | 31 |
| Language | C | C | C |
| Setup difficulty | moderate | moderate | hard |
| Complexity | 4/5 | 3/5 | 3/5 |
| Audience | ops devops | researcher | general |
Figures from each repo's GitHub metadata at analysis time.
Requires the Conquest C2 framework and administrative access on the target for remote monitoring.
Logon Monitor is a security tool written in C that watches for new user login events on a Windows computer and immediately notifies the operator running it. It is built as a BOF, which stands for Beacon Object File, a type of small compiled code module that runs inside a C2 agent (a remote-access tool used during authorized penetration testing engagements) without blocking the agent's other operations. When a new login is detected, the tool reports the username, domain, session ID, and, when monitoring local sessions with sufficient privileges, the process name and ID of the new session. It can also watch remote servers rather than just the local machine, as long as the operator has administrative or Remote Desktop access to that server. The tool accepts three configuration options: a polling interval in seconds (defaulting to 5), an optional list of specific usernames to watch for, and an optional target server name. If no username filter is specified, all new logins are reported. Logon Monitor is built specifically for a framework called Conquest. Through Conquest's Python module layer, operators can add a flag called steal-token that, when a new login is detected, automatically grabs the Windows access token of the newly logged-in user and stores it in a vault for later use. This is a technique used in offensive security work to act as a logged-in user without knowing their password. Using this feature requires the agent to be running as SYSTEM, the highest privilege level on a Windows machine. Building the project requires cloning the repository and running make. The compiled output and the Conquest module script are then loaded into the Conquest framework via its Script Manager interface.
A Beacon Object File written in C that watches for new Windows login events and reports them to the operator during authorized penetration testing.
Mainly C. The stack also includes C.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.