diff --git a/DB.py b/DB.py index 5800c0a..a31f5a2 100644 --- a/DB.py +++ b/DB.py @@ -23,7 +23,8 @@ def initializedb(): Alive TEXT, Sleep TEXT, ModsLoaded TEXT, - Pivot TEXT);""" + Pivot TEXT, + Label TEXT);""" create_autoruns = """CREATE TABLE AutoRuns ( TaskID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE, @@ -283,6 +284,12 @@ def update_sleep( sleep, randomuri ): c.execute("UPDATE Implants SET Sleep=? WHERE RandomURI=?",(sleep, randomuri)) conn.commit() +def update_label( label, randomuri ): + conn = sqlite3.connect(DB) + c = conn.cursor() + c.execute("UPDATE Implants SET Label=? WHERE RandomURI=?",(label, randomuri)) + conn.commit() + def update_mods( modules, randomuri ): conn = sqlite3.connect(DB) c = conn.cursor() @@ -351,11 +358,11 @@ def update_implant_lastseen(time, randomuri): c.execute("UPDATE Implants SET LastSeen=? WHERE RandomURI=?", (time,randomuri)) conn.commit() -def new_implant(RandomURI, User, Hostname, IpAddress, Key, FirstSeen, LastSeen, PID, Proxy, Arch, Domain, Alive, Sleep, ModsLoaded, Pivot): +def new_implant(RandomURI, User, Hostname, IpAddress, Key, FirstSeen, LastSeen, PID, Proxy, Arch, Domain, Alive, Sleep, ModsLoaded, Pivot, Label): conn = sqlite3.connect(DB) conn.row_factory = sqlite3.Row c = conn.cursor() - c.execute("INSERT INTO Implants (RandomURI, User, Hostname, IpAddress, Key, FirstSeen, LastSeen, PID, Proxy, Arch, Domain, Alive, Sleep, ModsLoaded, Pivot) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", (RandomURI, User, Hostname, IpAddress, Key, FirstSeen, LastSeen, PID, Proxy, Arch, Domain, Alive, Sleep, ModsLoaded, Pivot)) + c.execute("INSERT INTO Implants (RandomURI, User, Hostname, IpAddress, Key, FirstSeen, LastSeen, PID, Proxy, Arch, Domain, Alive, Sleep, ModsLoaded, Pivot, Label) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", (RandomURI, User, Hostname, IpAddress, Key, FirstSeen, LastSeen, PID, Proxy, Arch, Domain, Alive, Sleep, ModsLoaded, Pivot, Label)) conn.commit() def insert_completedtask(randomuri, command, output, prompt): diff --git a/HTML.py b/HTML.py index c8f6cbf..80ab718 100644 --- a/HTML.py +++ b/HTML.py @@ -209,7 +209,7 @@ function SearchTask() { function tweakMarkup(){ // Add classes to columns - var classes = ['id', 'taskid', 'randomuri', 'command', 'output', 'prompt','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot'] + var classes = ['id', 'Label', taskid', 'randomuri', 'command', 'output', 'prompt','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot'] tbl = document.getElementById("PoshTable"); ths = tbl.getElementsByTagName("th"); for( i=0; i'; td.onclick = toggleHide @@ -398,6 +398,7 @@ __________ .__. _________ ________ HTMLPost = HTMLPost.replace("","
") HTMLPost = HTMLPost.replace("","") HTMLPost = HTMLPost.replace("","") + HTMLPost = HTMLPost.replace("","") HTMLPost = HTMLPost.replace("","") HTMLPost = HTMLPost.replace("","") HTMLPost = HTMLPost.replace("","") diff --git a/Help.py b/Help.py index 1df1095..e0eb5e4 100644 --- a/Help.py +++ b/Help.py @@ -32,6 +32,7 @@ unhide-implant help searchhelp mimikatz back +label-implant """ sharp_help1 = """ @@ -397,7 +398,7 @@ COMMANDS = ['loadmodule',"bloodhound","brute-ad","brute-locadmin", "get-system-withproxy","get-system-withdaisy","get-pid","listmodules","modulesloaded", "startanotherimplant","remove-persistence","removeexe-persistence","installexe-persistence", "get-hash","get-creds","resolve-ipaddress","invoke-wmievent","remove-wmievent","get-wmievent", -"invoke-smbclient","get-keystrokedata","unhidefile","hidefile"] +"invoke-smbclient","get-keystrokedata","unhidefile","hidefile", "label-implant"] COMMANDS += ['invoke-psexecpayload','invoke-wmipayload', 'invoke-dcompayload'] COMMANDS += ['invoke-psexecproxypayload','invoke-wmiproxypayload', 'invoke-dcomproxypayload'] diff --git a/Implant.py b/Implant.py index 0ee42e2..dc12450 100644 --- a/Implant.py +++ b/Implant.py @@ -11,6 +11,7 @@ class Implant(object): def __init__(self, ipaddress, pivot, domain, user, hostname, arch, pid, proxy): self.RandomURI = randomuri() + self.Label = None self.User = user self.Hostname = hostname self.IPAddress = ipaddress @@ -588,7 +589,7 @@ while($true) print "SMS send error: %s" % e def save(self): - new_implant(self.RandomURI, self.User, self.Hostname, self.IPAddress, self.Key, self.FirstSeen, self.FirstSeen, self.PID, self.Proxy, self.Arch, self.Domain, self.Alive, self.Sleep, self.ModsLoaded, self.Pivot) + new_implant(self.RandomURI, self.User, self.Hostname, self.IPAddress, self.Key, self.FirstSeen, self.FirstSeen, self.PID, self.Proxy, self.Arch, self.Domain, self.Alive, self.Sleep, self.ModsLoaded, self.Pivot, self.Label) def autoruns(self): new_task("loadmodule Implant-Core.ps1", self.RandomURI) diff --git a/ImplantHandler.py b/ImplantHandler.py index 496f6db..8d146fe 100644 --- a/ImplantHandler.py +++ b/ImplantHandler.py @@ -176,6 +176,7 @@ def startup(printhelp = ""): PID = i[8] Pivot = i[15] Sleep = i[13] + Label = i[16] if Pivot == "Daisy": Pivot = "D" elif Pivot == "C#": Pivot = "C#" elif Pivot == "Proxy": Pivot = "P" @@ -188,12 +189,16 @@ def startup(printhelp = ""): nowplus10 = now - timedelta(minutes=10) nowplus60 = now - timedelta(minutes=59) sID = "["+str(ID)+"]" - if nowplus60 > LastSeenTime: - print (Colours.RED + "%s: Seen:%s | PID:%s | %s | %s @ %s (%s) %s" % (sID.ljust(4), LastSeen, PID.ljust(5), Sleep, DomainUser, Hostname, Arch, Pivot)) - elif nowplus10 > LastSeenTime: - print (Colours.YELLOW + "%s: Seen:%s | PID:%s | %s | %s @ %s (%s) %s" % (sID.ljust(4), LastSeen, PID.ljust(5), Sleep, DomainUser, Hostname, Arch, Pivot)) + if Label == None: + sLabel = "" else: - print (Colours.GREEN + "%s: Seen:%s | PID:%s | %s | %s @ %s (%s) %s" % (sID.ljust(4), LastSeen, PID.ljust(5), Sleep, DomainUser, Hostname, Arch, Pivot)) + sLabel = "["+Label+"]" + if nowplus60 > LastSeenTime: + print (Colours.RED + "%s%s: Seen:%s | PID:%s | %s | %s @ %s (%s) %s" % (sID.ljust(4), sLabel, LastSeen, PID.ljust(5), Sleep, DomainUser, Hostname, Arch, Pivot)) + elif nowplus10 > LastSeenTime: + print (Colours.YELLOW + "%s%s: Seen:%s | PID:%s | %s | %s @ %s (%s) %s" % (sID.ljust(4), sLabel, LastSeen, PID.ljust(5), Sleep, DomainUser, Hostname, Arch, Pivot)) + else: + print (Colours.GREEN + "%s%s: Seen:%s | PID:%s | %s | %s @ %s (%s) %s" % (sID.ljust(4), sLabel, LastSeen, PID.ljust(5), Sleep, DomainUser, Hostname, Arch, Pivot)) else: from datetime import datetime, timedelta now = datetime.now() @@ -417,6 +422,11 @@ def runcommand(command, randomuri): update_sleep(command, randomuri) new_task(sleep, randomuri) + elif (command.lower().startswith('label-implant')): + label = command.replace('label-implant ', '') + update_label(label, randomuri) + startup() + elif "searchhelp" in command.lower(): searchterm = (command.lower()).replace("searchhelp ","") import string @@ -646,6 +656,11 @@ def runcommand(command, randomuri): command = command.replace('setbeacon ', '') command = command.replace('beacon ', '') update_sleep(command, randomuri) + + elif (command.lower().startswith('label-implant')): + label = command.replace('label-implant ', '') + update_label(label, randomuri) + startup() else: if command: @@ -667,6 +682,11 @@ def runcommand(command, randomuri): command = command.replace('beacon ', '') update_sleep(command, randomuri) + elif (command.lower().startswith('label-implant')): + label = command.replace('label-implant ', '') + update_label(label, randomuri) + startup() + elif "searchhelp" in command.lower(): searchterm = (command.lower()).replace("searchhelp ","") import string diff --git a/OfflineReportGenerator.py b/OfflineReportGenerator.py index 7519b2f..5a2351e 100644 --- a/OfflineReportGenerator.py +++ b/OfflineReportGenerator.py @@ -204,7 +204,7 @@ function SearchTask() { function tweakMarkup(){ // Add classes to columns - var classes = ['id', 'taskid', 'randomuri', 'command', 'output', 'prompt','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot'] + var classes = ['id', 'Label', taskid', 'randomuri', 'command', 'output', 'prompt','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot'] tbl = document.getElementById("PoshTable"); ths = tbl.getElementsByTagName("th"); for( i=0; i'; td.onclick = toggleHide @@ -393,6 +393,7 @@ __________ .__. _________ ________ HTMLPost = HTMLPost.replace("
CompletedTaskIDIDIDIDLabelLabelTaskIDTaskIDRandomURIRandomURICommandCommand
","
") HTMLPost = HTMLPost.replace("","") HTMLPost = HTMLPost.replace("","") + HTMLPost = HTMLPost.replace("","") HTMLPost = HTMLPost.replace("","") HTMLPost = HTMLPost.replace("","") HTMLPost = HTMLPost.replace("","")
CompletedTaskIDIDIDIDLabelLabelTaskIDTaskIDRandomURIRandomURICommandCommand