S0378 PoshC2
PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.1
| Item | Value |
|---|---|
| ID | S0378 |
| Associated Names | |
| Type | TOOL |
| Version | 1.3 |
| Created | 23 April 2019 |
| Last Modified | 03 June 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | PoshC2 can utilize multiple methods to bypass UAC.1 |
| enterprise | T1134 | Access Token Manipulation | PoshC2 can use Invoke-TokenManipulation for manipulating tokens.1 |
| enterprise | T1134.002 | Create Process with Token | PoshC2 can use Invoke-RunAs to make tokens.1 |
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | PoshC2 can enumerate local and domain user account information.1 |
| enterprise | T1087.002 | Domain Account | PoshC2 can enumerate local and domain user account information.1 |
| enterprise | T1557 | Adversary-in-the-Middle | - |
| enterprise | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | PoshC2 can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | PoshC2 can use protocols like HTTP/HTTPS for command and control traffic.1 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | PoshC2 contains a module for compressing data using ZIP.1 |
| enterprise | T1119 | Automated Collection | PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers.1 |
| enterprise | T1110 | Brute Force | PoshC2 has modules for brute forcing local administrator and AD user accounts.1 |
| enterprise | T1555 | Credentials from Password Stores | PoshC2 can decrypt passwords stored in the RDCMan configuration file.2 |
| enterprise | T1482 | Domain Trust Discovery | PoshC2 has modules for enumerating domain trusts.1 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.003 | Windows Management Instrumentation Event Subscription | PoshC2 has the ability to persist on a system using WMI events.1 |
| enterprise | T1068 | Exploitation for Privilege Escalation | PoshC2 contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099.1 |
| enterprise | T1210 | Exploitation of Remote Services | PoshC2 contains a module for exploiting SMB via EternalBlue.1 |
| enterprise | T1083 | File and Directory Discovery | PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.1 |
| enterprise | T1046 | Network Service Discovery | PoshC2 can perform port scans from an infected host.1 |
| enterprise | T1040 | Network Sniffing | PoshC2 contains a module for taking packet captures on compromised hosts.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | PoshC2 contains an implementation of Mimikatz to gather credentials from memory.1 |
| enterprise | T1201 | Password Policy Discovery | PoshC2 can use Get-PassPol to enumerate the domain password policy.1 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.001 | Local Groups | PoshC2 contains modules, such as Get-LocAdm for enumerating permission groups.1 |
| enterprise | T1055 | Process Injection | PoshC2 contains multiple modules for injecting into processes, such as Invoke-PSInject.1 |
| enterprise | T1090 | Proxy | PoshC2 contains modules that allow for use of proxies in command and control.1 |
| enterprise | T1082 | System Information Discovery | PoshC2 contains modules, such as Get-ComputerInfo, for enumerating common system information.1 |
| enterprise | T1016 | System Network Configuration Discovery | PoshC2 can enumerate network adapter information.1 |
| enterprise | T1049 | System Network Connections Discovery | PoshC2 contains an implementation of netstat to enumerate TCP and UDP connections.1 |
| enterprise | T1007 | System Service Discovery | PoshC2 can enumerate service and service permission information.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | PoshC2 contains an implementation of PsExec for remote execution.1 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | PoshC2 contains modules for searching for passwords in local and remote files.1 |
| enterprise | T1550 | Use Alternate Authentication Material | - |
| enterprise | T1550.002 | Pass the Hash | PoshC2 has a number of modules that leverage pass the hash for lateral movement.1 |
| enterprise | T1047 | Windows Management Instrumentation | PoshC2 has a number of modules that use WMI to execute tasks.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0064 | APT33 | 34 |
| G1001 | HEXANE | 2 |
References
-
Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 ↩↩
-
Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. ↩
-
Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. ↩