diff --git a/Files/fpc b/Files/fpc new file mode 100755 index 0000000..59897ab --- /dev/null +++ b/Files/fpc @@ -0,0 +1,3 @@ +#!/bin/bash + +python3 /usr/bin/fpc.py $@ diff --git a/Files/fpc.py b/Files/fpc.py new file mode 100755 index 0000000..52ca05b --- /dev/null +++ b/Files/fpc.py @@ -0,0 +1,24 @@ +#!/usr/bin/env python + +import sys, argparse, sqlite3, os, pandas + + +def create_arg_parser(): + parser = argparse.ArgumentParser(description='Search for a PoshC2 Command Output') + parser.add_argument("-p", "--project", help='The PoshC2 project dir', default = '/opt/PoshC2_Project') + parser.add_argument("-c", "--command", help='The command to search for', default = '%') + parser.add_argument("-u", "--user", help='The user to filter on', default = '%') + parser.add_argument("-o", "--output", help='The output to search for', default = '%') + return parser + +def main(): + args = create_arg_parser().parse_args() + if args.command == '%' and args.output == '%': + print("[-] A minimum of a --command or --output search term must be specified") + sys.exit(1) + conn = sqlite3.connect(os.path.join(args.project, 'PowershellC2.SQLite')) + with pandas.option_context('display.max_rows', None, 'display.max_columns', None, 'display.max_colwidth', -1): + print (str(pandas.read_sql_query("SELECT Command,Output from Tasks where User like '%s' and Command like '%%%s%%' and Output like '%%%s%%'" % (args.user, args.command, args.output), conn)).replace('\\r', '\r').replace('\\n', '\n')) + +if __name__ == '__main__': + main() diff --git a/Install.sh b/Install.sh index a4b4cc3..722d199 100755 --- a/Install.sh +++ b/Install.sh @@ -57,6 +57,13 @@ echo "" pip install --upgrade pip python -m pip install -r /opt/PoshC2_Python/requirements.txt +echo "" +echo "[+] Copying useful scripts to /usr/bin" +cp files/fpc /usr/bin +cp files/fpc.py /usr/bin +chmod +x /usr/bin/fpc +chmod +x /usr/bin/fpc.py + echo "" echo "[+] Setup complete" echo "" diff --git a/changelog.txt b/changelog.txt index 41ca946..8e54822 100644 --- a/changelog.txt +++ b/changelog.txt @@ -13,6 +13,7 @@ Add base64 encoded versions of the shellcode to the payloads directory Add a configurable jitter to all implants Update the notifications config if it is changed in the Config.py Add NotificationsProjectName in Config.py which is displayed in notifications message +Add fpc script which searches the Posh DB for a particular command 4.8 (13/02/19) ==============