PoshC2
PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written inPowerShell. AlthoughPoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism:Bypass User Account Control | |
| Enterprise | T1134 | Access Token Manipulation | PoshC2 can use Invoke-TokenManipulation for manipulating tokens.[1] | |
| .002 | Create Process with Token | |||
| Enterprise | T1087 | .001 | Account Discovery:Local Account | PoshC2 can enumerate local and domain user account information.[1] |
| .002 | Account Discovery:Domain Account | PoshC2 can enumerate local and domain user account information.[1] | ||
| Enterprise | T1557 | .001 | Adversary-in-the-Middle:LLMNR/NBT-NS Poisoning and SMB Relay | PoshC2 can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.[1] |
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | PoshC2 can use protocols like HTTP/HTTPS for command and control traffic.[1] |
| Enterprise | T1560 | .001 | Archive Collected Data:Archive via Utility | |
| Enterprise | T1119 | Automated Collection | PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers.[1] | |
| Enterprise | T1110 | Brute Force | PoshC2 has modules for brute forcing local administrator and AD user accounts.[1] | |
| Enterprise | T1555 | Credentials from Password Stores | PoshC2 can decrypt passwords stored in the RDCMan configuration file.[2] | |
| Enterprise | T1482 | Domain Trust Discovery | ||
| Enterprise | T1546 | .003 | Event Triggered Execution:Windows Management Instrumentation Event Subscription | PoshC2 has the ability to persist on a system using WMI events.[1] |
| Enterprise | T1068 | Exploitation for Privilege Escalation | PoshC2 contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099.[1] | |
| Enterprise | T1210 | Exploitation of Remote Services | PoshC2 contains a module for exploiting SMB via EternalBlue.[1] | |
| Enterprise | T1083 | File and Directory Discovery | PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.[1] | |
| Enterprise | T1056 | .001 | Input Capture:Keylogging | PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.[1] |
| Enterprise | T1046 | Network Service Discovery | ||
| Enterprise | T1040 | Network Sniffing | PoshC2 contains a module for taking packet captures on compromised hosts.[1] | |
| Enterprise | T1003 | .001 | OS Credential Dumping:LSASS Memory | PoshC2 contains an implementation ofMimikatz to gather credentials from memory.[1] |
| Enterprise | T1201 | Password Policy Discovery | PoshC2 can use | |
| Enterprise | T1069 | .001 | Permission Groups Discovery:Local Groups | PoshC2 contains modules, such as |
| Enterprise | T1055 | Process Injection | PoshC2 contains multiple modules for injecting into processes, such as | |
| Enterprise | T1090 | Proxy | PoshC2 contains modules that allow for use of proxies in command and control.[1] | |
| Enterprise | T1082 | System Information Discovery | PoshC2 contains modules, such as | |
| Enterprise | T1016 | System Network Configuration Discovery | ||
| Enterprise | T1049 | System Network Connections Discovery | PoshC2 contains an implementation ofnetstat to enumerate TCP and UDP connections.[1] | |
| Enterprise | T1007 | System Service Discovery | PoshC2 can enumerate service and service permission information.[1] | |
| Enterprise | T1569 | .002 | System Services:Service Execution | PoshC2 contains an implementation ofPsExec for remote execution.[1] |
| Enterprise | T1552 | .001 | Unsecured Credentials:Credentials In Files | PoshC2 contains modules for searching for passwords in local and remote files.[1] |
| Enterprise | T1550 | .002 | Use Alternate Authentication Material:Pass the Hash | PoshC2 has a number of modules that leverage pass the hash for lateral movement.[1] |
| Enterprise | T1047 | Windows Management Instrumentation | PoshC2 has a number of modules that use WMI to execute tasks.[1] | |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0064 | APT33 | |
| G0034 | Sandworm Team | Sandworm Team has used multiple publicly available tools during operations, such as PoshC2.[5] |
| G1001 | HEXANE |
References
- Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
- SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
- Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.