ScreenshotBOF: alternative screenshot capability for Cobalt Strike
![Cobalt Strike screenshot](https://b3442631.smushcdn.com/3442631/wp-content/uploads/2022/12/ScreenshotBOF-1320x500.png?lossy=1&strip=1&webp=1)
ScreenshotBOF
An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. The screenshot was downloaded in memory.
Why did I make this?
Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behavior provides stability, it is now well-known and heavily monitored. This BOF is meant to provide a more OPSEC-safe version of the screenshot capability.
Self Compilation
- git clone the repo: git clone
- open the solution in Visual Studio
- Build project BOF
Save methods:
- drop file to disk
- download file over beacon (Cobalt Strike only)
Usage
- import the screenshotBOF.cna script into Cobalt Strike
- use the command screenshot_bof {local filename} {save method 0/1}
- if downloaded over beacon, BMP can be viewed in Cobalt Strike by right-clicking the download and clicking “Render BMP” (credit @BinaryFaultline)
Source: https://github.com/CodeXTF2/