qwqdanchun
/
ScreenshotBOF
mirror of https://github.com/qwqdanchun/ScreenshotBOF.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
3 Commits 2 Branches 2 Tags 142 KiB
C 54.2%
C++ 32%
PowerShell 13.8%
Go to file
CodeXTF2 7ce6511a2d credits 2022-10-23 17:04:09 +08:00
ScreenshotBOF first commit 2022-10-23 16:58:24 +08:00
bin/BOF first commit 2022-10-23 16:58:24 +08:00
.gitignore first commit 2022-10-23 16:58:24 +08:00
README.md credits 2022-10-23 17:04:09 +08:00
ScreenshotBOF.sln first commit 2022-10-23 16:58:24 +08:00

README.md

ScreenshotBOF

An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot saved to disk as a file.

Usage

  1. import the screenshotBOF.cna script into Cobalt Strike
  2. use the command screenshot_bof
  3. Download the screenshot from the target e.g.
download screenshot.bmp

Notes

  • no evasion is performed, which should be fine since the WinAPIs used are not malicious
  • in memory downloading of screenshots is planned to be added
  • the filename can be changed in the source code.

Why did I make this?

Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more OPSEC safe version of the screenshot capability.

Credits