whatisgithub

What is logon-monitor-bof?

jakobfriedl/logon-monitor-bof — explained in plain English

Analysis updated 2026-05-18

31CAudience · ops devopsComplexity · 4/5Setup · moderate

In one sentence

A Beacon Object File written in C that watches for new Windows login events and reports them to the operator during authorized penetration testing.

Mindmap

mindmap
  root((logon-monitor-bof))
    What it does
      Watches for new logins
      Reports username and session
      Optional remote server monitoring
    Tech stack
      C
      Conquest framework
    Use cases
      Login monitoring in engagements
      Session tracking
      Token capture via Conquest
    Audience
      Security professionals
    Setup
      Requires make build
      Loaded into Conquest

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Monitor a target Windows machine for new login events during an authorized penetration test.

USE CASE 2

Report the username, domain, and session ID of any new login through a C2 agent.

USE CASE 3

Combine with Conquest's steal-token flag to capture an access token from a newly logged-in user.

What is it built with?

C

How does it compare?

jakobfriedl/logon-monitor-bof0xazanul/fuzz-skilllessica/unseen
Stars313131
LanguageCCC
Setup difficultymoderatemoderatehard
Complexity4/53/53/5
Audienceops devopsresearchergeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires the Conquest C2 framework and administrative access on the target for remote monitoring.

So what is it?

Logon Monitor is a security tool written in C that watches for new user login events on a Windows computer and immediately notifies the operator running it. It is built as a BOF, which stands for Beacon Object File, a type of small compiled code module that runs inside a C2 agent (a remote-access tool used during authorized penetration testing engagements) without blocking the agent's other operations. When a new login is detected, the tool reports the username, domain, session ID, and, when monitoring local sessions with sufficient privileges, the process name and ID of the new session. It can also watch remote servers rather than just the local machine, as long as the operator has administrative or Remote Desktop access to that server. The tool accepts three configuration options: a polling interval in seconds (defaulting to 5), an optional list of specific usernames to watch for, and an optional target server name. If no username filter is specified, all new logins are reported. Logon Monitor is built specifically for a framework called Conquest. Through Conquest's Python module layer, operators can add a flag called steal-token that, when a new login is detected, automatically grabs the Windows access token of the newly logged-in user and stores it in a vault for later use. This is a technique used in offensive security work to act as a logged-in user without knowing their password. Using this feature requires the agent to be running as SYSTEM, the highest privilege level on a Windows machine. Building the project requires cloning the repository and running make. The compiled output and the Conquest module script are then loaded into the Conquest framework via its Script Manager interface.

Copy-paste prompts

Prompt 1
Explain how to build Logon Monitor and load it into the Conquest framework's Script Manager.
Prompt 2
What configuration options does Logon Monitor accept for polling interval and username filters?
Prompt 3
Describe how the steal-token flag interacts with Logon Monitor during an authorized engagement.
Prompt 4
Walk me through what a Beacon Object File is and how Logon Monitor runs inside a C2 agent.

Frequently asked questions

What is logon-monitor-bof?

A Beacon Object File written in C that watches for new Windows login events and reports them to the operator during authorized penetration testing.

What language is logon-monitor-bof written in?

Mainly C. The stack also includes C.

How hard is logon-monitor-bof to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is logon-monitor-bof for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.