One of the most important things in a red teamer’s job is evidence. If you can’t demonstrate impact and make a risk real, it’s as if you didn’t find the problem. Screenshots go a long way towards this.
Cobalt Strike has several options to capture screenshots during your engagement. In this post, I’ll quickly take you through them.
Ctrl+P
The Ctrl+P shortcut snaps a picture of the current sessions in Cobalt Strike. If the pivot graph is active, you will get the whole graph (regardless of size) in one image.
Ctrl+T
The Ctrl+T shortcut takes a screenshot of the current Cobalt Strike tab.
Ctrl+Shift+T
The Ctrl+Shift+T shortcut takes a screenshot of your whole Cobalt Strike window.
Where do my screenshots go?
This is the best part. Cobalt Strike pushes these screenshots to the team server. This way, your screenshots and your team’s screenshots are in one place. The screenshots are located in the [/path/to/cobaltstrike]/logs/[date]/screenshots folder. Each screenshot’s name includes the time it was taken and the context it was taken from (e.g., the title of the tab).
Note: Target screenshots, taken during your post-exploitation activities, are organized and stored on the team server as well. These are located in:
[/path/to/cobaltstrike]/logs/[date]/[target]/screenshots.