1. Home
  2. Software
  3. PoshC2

PoshC2

PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[1]

ID: S0378
Type: TOOL
Platforms: Windows, Linux, macOS
Version: 1.3
Created: 23 April 2019
Last Modified: 03 June 2022
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

PoshC2 can utilize multiple methods to bypass UAC.[1]
Enterprise T1134 Access Token Manipulation

PoshC2 can use Invoke-TokenManipulation for manipulating tokens.[1]
.002 Create Process with Token

PoshC2 can use Invoke-RunAs to make tokens.[1]
Enterprise T1087 .001 Account Discovery: Local Account

PoshC2 can enumerate local and domain user account information.[1]
.002 Account Discovery: Domain Account

PoshC2 can enumerate local and domain user account information.[1]
Enterprise T1557 .001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

PoshC2 can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.[1]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PoshC2 can use protocols like HTTP/HTTPS for command and control traffic.[1]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

PoshC2 contains a module for compressing data using ZIP.[1]
Enterprise T1119 Automated Collection

PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers.[1]
Enterprise T1110 Brute Force

PoshC2 has modules for brute forcing local administrator and AD user accounts.[1]
Enterprise T1555 Credentials from Password Stores

PoshC2 can decrypt passwords stored in the RDCMan configuration file.[2]
Enterprise T1482 Domain Trust Discovery

PoshC2 has modules for enumerating domain trusts.[1]
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

PoshC2 has the ability to persist on a system using WMI events.[1]
Enterprise T1068 Exploitation for Privilege Escalation

PoshC2 contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099.[1]
Enterprise T1210 Exploitation of Remote Services

PoshC2 contains a module for exploiting SMB via EternalBlue.[1]
Enterprise T1083 File and Directory Discovery

PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.[1]
Enterprise T1056 .001 Input Capture: Keylogging

PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.[1]
Enterprise T1046 Network Service Discovery

PoshC2 can perform port scans from an infected host.[1]
Enterprise T1040 Network Sniffing

PoshC2 contains a module for taking packet captures on compromised hosts.[1]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

PoshC2 contains an implementation of Mimikatz to gather credentials from memory.[1]
Enterprise T1201 Password Policy Discovery

PoshC2 can use Get-PassPol to enumerate the domain password policy.[1]
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

PoshC2 contains modules, such as Get-LocAdm for enumerating permission groups.[1]
Enterprise T1055 Process Injection

PoshC2 contains multiple modules for injecting into processes, such as Invoke-PSInject.[1]
Enterprise T1090 Proxy

PoshC2 contains modules that allow for use of proxies in command and control.[1]
Enterprise T1082 System Information Discovery

PoshC2 contains modules, such as Get-ComputerInfo, for enumerating common system information.[1]
Enterprise T1016 System Network Configuration Discovery

PoshC2 can enumerate network adapter information.[1]
Enterprise T1049 System Network Connections Discovery

PoshC2 contains an implementation of netstat to enumerate TCP and UDP connections.[1]
Enterprise T1007 System Service Discovery

PoshC2 can enumerate service and service permission information.[1]
Enterprise T1569 .002 System Services: Service Execution

PoshC2 contains an implementation of PsExec for remote execution.[1]
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

PoshC2 contains modules for searching for passwords in local and remote files.[1]
Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

PoshC2 has a number of modules that leverage pass the hash for lateral movement.[1]
Enterprise T1047 Windows Management Instrumentation

PoshC2 has a number of modules that use WMI to execute tasks.[1]

Groups That Use This Software

ID Name References
G0064 APT33

[3][4]
G0034 Sandworm Team

Sandworm Team has used multiple publicly available tools during operations, such as PoshC2.[5]
G1001 HEXANE

[2]

References

  1. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  2. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  3. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  1. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  2. Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.