Skip to content

S0378 PoshC2

PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.1

Item Value
ID S0378
Associated Names
Version 1.3
Created 23 April 2019
Last Modified 03 June 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control PoshC2 can utilize multiple methods to bypass UAC.1
enterprise T1134 Access Token Manipulation PoshC2 can use Invoke-TokenManipulation for manipulating tokens.1
enterprise T1134.002 Create Process with Token PoshC2 can use Invoke-RunAs to make tokens.1
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account PoshC2 can enumerate local and domain user account information.1
enterprise T1087.002 Domain Account PoshC2 can enumerate local and domain user account information.1
enterprise T1557 Adversary-in-the-Middle -
enterprise T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay PoshC2 can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols PoshC2 can use protocols like HTTP/HTTPS for command and control traffic.1
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility PoshC2 contains a module for compressing data using ZIP.1
enterprise T1119 Automated Collection PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers.1
enterprise T1110 Brute Force PoshC2 has modules for brute forcing local administrator and AD user accounts.1
enterprise T1555 Credentials from Password Stores PoshC2 can decrypt passwords stored in the RDCMan configuration file.2
enterprise T1482 Domain Trust Discovery PoshC2 has modules for enumerating domain trusts.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription PoshC2 has the ability to persist on a system using WMI events.1
enterprise T1068 Exploitation for Privilege Escalation PoshC2 contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099.1
enterprise T1210 Exploitation of Remote Services PoshC2 contains a module for exploiting SMB via EternalBlue.1
enterprise T1083 File and Directory Discovery PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.1
enterprise T1046 Network Service Discovery PoshC2 can perform port scans from an infected host.1
enterprise T1040 Network Sniffing PoshC2 contains a module for taking packet captures on compromised hosts.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory PoshC2 contains an implementation of Mimikatz to gather credentials from memory.1
enterprise T1201 Password Policy Discovery PoshC2 can use Get-PassPol to enumerate the domain password policy.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups PoshC2 contains modules, such as Get-LocAdm for enumerating permission groups.1
enterprise T1055 Process Injection PoshC2 contains multiple modules for injecting into processes, such as Invoke-PSInject.1
enterprise T1090 Proxy PoshC2 contains modules that allow for use of proxies in command and control.1
enterprise T1082 System Information Discovery PoshC2 contains modules, such as Get-ComputerInfo, for enumerating common system information.1
enterprise T1016 System Network Configuration Discovery PoshC2 can enumerate network adapter information.1
enterprise T1049 System Network Connections Discovery PoshC2 contains an implementation of netstat to enumerate TCP and UDP connections.1
enterprise T1007 System Service Discovery PoshC2 can enumerate service and service permission information.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution PoshC2 contains an implementation of PsExec for remote execution.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files PoshC2 contains modules for searching for passwords in local and remote files.1
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.002 Pass the Hash PoshC2 has a number of modules that leverage pass the hash for lateral movement.1
enterprise T1047 Windows Management Instrumentation PoshC2 has a number of modules that use WMI to execute tasks.1

Groups That Use This Software

ID Name References
G0064 APT33 34
G1001 HEXANE 2