Locked ScreenshotBOF: alternative screenshot capability for Cobalt Strike

By itsMe
December 7, 2022 in Pentesting

Followers 0

Start new topic

Recommended Posts

itsMe

Posted December 7, 2022

- Share

Posted December 7, 2022

This is the hidden content, please

ScreenshotBOF

An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. The screenshot was downloaded in memory.

Why did I make this?

Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behavior provides stability, it is now well-known and heavily monitored. This BOF is meant to provide a more OPSEC-safe version of the screenshot capability.

Self Compilation

    git clone the repo: git clone
    open the solution in Visual Studio
    Build project BOF

Save methods:

drop file to disk
download file over beacon (Cobalt Strike only)

This is the hidden content, please

Link to comment

Share on other sites

This topic is now closed to further replies.

Followers 0

Go to topic listing

Similar Content
- SharpOD x64 (A_AntiDebug Plugin. Support for x64dbg)
  
  By itsMe, December 5, 2021
  - for
  - support
  - (and 5 more)
    
    Tagged with:
    
    for
    
    support
    
    plugin.
    
    (a_antidebug
    
    x64
    
    sharpod
    
    x64dbg)
  - 0 replies
  - 1,661 views
- How to sniff API of android aps For making configs
  
  By itsMe, May 20, 2021
  - making
  - for
  - (and 6 more)
    
    Tagged with:
    
    making
    
    for
    
    aps
    
    android
    
    api
    
    sniff
    
    how
    
    configs
  - 0 replies
  - 255 views
- Cobalt Strike 4.7.2 Full Black Edition by uCare + CobaltStrike 4.8 Client
  
  By itsMe, April 14, 2023
  - strike
  - cobalt
  - (and 5 more)
    
    Tagged with:
    
    strike
    
    cobalt
    
    4.7.2
    
    full
    
    black
    
    edition
    
    ucare
  - 0 replies
  - 658 views
- How To Make Simple APP Config(API) In OPENBULLET Using Fiddler
  
  By itsMe, March 24, 2023
  - easiest
  - configs
  - (and 8 more)
    
    Tagged with:
    
    easiest
    
    configs
    
    openbullet
    
    api
    
    android
    
    making
    
    for
    
    setup
    
    how
    
    method
  - 0 replies
  - 519 views
- TweakNow WinSecret Plus! for Windows 11 and 10 4.6.0
  
  By itsMe, April 27, 2023
  - tweaknow
  - winsecret
  - (and 5 more)
    
    Tagged with:
    
    tweaknow
    
    winsecret
    
    plus!
    
    for
    
    windows
    
    and
    
    4.6.0
  - 0 replies
  - 288 views

Sign In

Locked ScreenshotBOF: alternative screenshot capability for Cobalt Strike

Recommended Posts

itsMe

Link to comment

Share on other sites

Similar Content

SharpOD x64 (A_AntiDebug Plugin. Support for x64dbg)

How to sniff API of android aps For making configs

Cobalt Strike 4.7.2 Full Black Edition by uCare + CobaltStrike 4.8 Client

How To Make Simple APP Config(API) In OPENBULLET Using Fiddler

TweakNow WinSecret Plus! for Windows 11 and 10 4.6.0

Browse

Activity

Store

Important Information