Reporting

Reporting and logging is an extremely important part of running a Red Team engagement and PoshC2 ensures that every detail is logged to the internal SQLite database. It is always worth noting that PoshC2’s time-zone will work off the local server time, so if you are working in multiple countries or another time-zone, it is highly recommended that your time-zone is configured accordingly.

By default, PoshC2 records every command and all output from each Implant that is used and logs this information to the internal SQLite database, in addition to all the metadata around that command, such as the issuing user, the hostname and so on.

While the SQLite database can be interacted with directly, PoshC2 also has a number of reporting commands to aid in the processing of this information.

To output basic HTML reports from Implant-Handler top level prompt run the generate-reports command, which will generate a number of HTML pages to the reports directory in addition to dumping the data as CSV files.

../_images/tasks-report.png

There is also the fpc command which can be used to find a PoshC2 command. This command can search through command input and output for search terms, and filter commands by the user that executed them.

../_images/fpc.png