Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. PoshC2

PoshC2

PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[1]

ID: S0378
Type: TOOL
Platforms: Windows, Linux, macOS
Version: 1.2
Created: 23 April 2019
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

PoshC2 can utilize multiple methods to bypass UAC.[1]
Enterprise T1134 Access Token Manipulation

PoshC2 can use Invoke-TokenManipulation for manipulating tokens.[1]
.002 Create Process with Token

PoshC2 can use Invoke-RunAs to make tokens.[1]
Enterprise T1087 .002 Account Discovery: Domain Account

PoshC2 can enumerate local and domain user account information.[1]
.001 Account Discovery: Local Account

PoshC2 can enumerate local and domain user account information.[1]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PoshC2 can use protocols like HTTP/HTTPS for command and control traffic.[1]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

PoshC2 contains a module for compressing data using ZIP.[1]
Enterprise T1119 Automated Collection

PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers.[1]
Enterprise T1110 Brute Force

PoshC2 has modules for brute forcing local administrator and AD user accounts.[1]
Enterprise T1482 Domain Trust Discovery

PoshC2 has modules for enumerating domain trusts.[1]
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

PoshC2 has the ability to persist on a system using WMI events.[1]
Enterprise T1068 Exploitation for Privilege Escalation

PoshC2 contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099.[1]
Enterprise T1210 Exploitation of Remote Services

PoshC2 contains a module for exploiting SMB via EternalBlue.[1]
Enterprise T1083 File and Directory Discovery

PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.[1]
Enterprise T1056 .001 Input Capture: Keylogging

PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.[1]
Enterprise T1557 .001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

PoshC2 can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.[1]
Enterprise T1046 Network Service Scanning

PoshC2 can perform port scans from an infected host.[1]
Enterprise T1040 Network Sniffing

PoshC2 contains a module for taking packet captures on compromised hosts.[1]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

PoshC2 contains an implementation of Mimikatz to gather credentials from memory.[1]
Enterprise T1201 Password Policy Discovery

PoshC2 can use Get-PassPol to enumerate the domain password policy.[1]
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

PoshC2 contains modules, such as Get-LocAdm for enumerating permission groups.[1]
Enterprise T1055 Process Injection

PoshC2 contains multiple modules for injecting into processes, such as Invoke-PSInject.[1]
Enterprise T1090 Proxy

PoshC2 contains modules that allow for use of proxies in command and control.[1]
Enterprise T1082 System Information Discovery

PoshC2 contains modules, such as Get-ComputerInfo, for enumerating common system information.[1]
Enterprise T1016 System Network Configuration Discovery

PoshC2 can enumerate network adapter information.[1]
Enterprise T1049 System Network Connections Discovery

PoshC2 contains an implementation of netstat to enumerate TCP and UDP connections.[1]
Enterprise T1007 System Service Discovery

PoshC2 can enumerate service and service permission information.[1]
Enterprise T1569 .002 System Services: Service Execution

PoshC2 contains an implementation of PsExec for remote execution.[1]
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

PoshC2 contains modules for searching for passwords in local and remote files.[1]
Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

PoshC2 has a number of modules that leverage pass the hash for lateral movement.[1]
Enterprise T1047 Windows Management Instrumentation

PoshC2 has a number of modules that use WMI to execute tasks.[1]

Groups That Use This Software

ID Name References
G0064 APT33

[2][3]

References

  1. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  2. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  1. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.