PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control | |
Enterprise | T1134 | Access Token Manipulation |
PoshC2 can use Invoke-TokenManipulation for manipulating tokens.[1] |
|
.002 | Create Process with Token | |||
Enterprise | T1087 | .001 | Account Discovery: Local Account |
PoshC2 can enumerate local and domain user account information.[1] |
.002 | Account Discovery: Domain Account |
PoshC2 can enumerate local and domain user account information.[1] |
||
Enterprise | T1557 | .001 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
PoshC2 can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.[1] |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
PoshC2 can use protocols like HTTP/HTTPS for command and control traffic.[1] |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility | |
Enterprise | T1119 | Automated Collection |
PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers.[1] |
|
Enterprise | T1110 | Brute Force |
PoshC2 has modules for brute forcing local administrator and AD user accounts.[1] |
|
Enterprise | T1482 | Domain Trust Discovery | ||
Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
PoshC2 has the ability to persist on a system using WMI events.[1] |
Enterprise | T1068 | Exploitation for Privilege Escalation |
PoshC2 contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099.[1] |
|
Enterprise | T1210 | Exploitation of Remote Services |
PoshC2 contains a module for exploiting SMB via EternalBlue.[1] |
|
Enterprise | T1083 | File and Directory Discovery |
PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.[1] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging |
PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.[1] |
Enterprise | T1046 | Network Service Discovery | ||
Enterprise | T1040 | Network Sniffing |
PoshC2 contains a module for taking packet captures on compromised hosts.[1] |
|
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
PoshC2 contains an implementation of Mimikatz to gather credentials from memory.[1] |
Enterprise | T1201 | Password Policy Discovery |
PoshC2 can use |
|
Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
PoshC2 contains modules, such as |
Enterprise | T1055 | Process Injection |
PoshC2 contains multiple modules for injecting into processes, such as |
|
Enterprise | T1090 | Proxy |
PoshC2 contains modules that allow for use of proxies in command and control.[1] |
|
Enterprise | T1082 | System Information Discovery |
PoshC2 contains modules, such as |
|
Enterprise | T1016 | System Network Configuration Discovery | ||
Enterprise | T1049 | System Network Connections Discovery |
PoshC2 contains an implementation of netstat to enumerate TCP and UDP connections.[1] |
|
Enterprise | T1007 | System Service Discovery |
PoshC2 can enumerate service and service permission information.[1] |
|
Enterprise | T1569 | .002 | System Services: Service Execution |
PoshC2 contains an implementation of PsExec for remote execution.[1] |
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
PoshC2 contains modules for searching for passwords in local and remote files.[1] |
Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
PoshC2 has a number of modules that leverage pass the hash for lateral movement.[1] |
Enterprise | T1047 | Windows Management Instrumentation |
PoshC2 has a number of modules that use WMI to execute tasks.[1] |
ID | Name | References |
---|---|---|
G0064 | APT33 |