1f0ad54b5c
Callback screenshot (merge). Will modify tomorrow if I have time to allow setting of screenshot write method (disk, download file, download screenshot) |
||
|---|---|---|
| ScreenshotBOF | ||
| bin/BOF | ||
| .gitignore | ||
| README.md | ||
| ScreenshotBOF.sln | ||
README.md
ScreenshotBOF
An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory.
Self Compilation
- git clone the repo
- open the solution in Visual Studio
- Build project BOF
Usage
- import the screenshotBOF.cna script into Cobalt Strike
- use the command screenshot_bof {local filename}
beacon> screenshot_bof sad.bmp
[*] Running screenshot BOF by (@codex_tf2)
[+] host called home, sent: 4860 bytes
[+] received output:
[*] Tasked beacon to printscreen and save to sad.bmp
[+] received output:
[+] PrintScreen saved to bitmap...
[*] started download of sad.bmp
Notes
- no evasion is performed, which should be fine since the WinAPIs used are not malicious
Why did I make this?
Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more OPSEC safe version of the screenshot capability.
Credits
- Made using https://github.com/securifybv/Visual-Studio-BOF-template
- Save BMP to file from https://stackoverflow.com/a/60667564
- in memory download from https://github.com/anthemtotheego/CredBandit