PoshC2
PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
PoshC2 has a number of modules that use WMI to execute tasks.[1] |
|
| Enterprise | T1557 | .001 | 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay |
PoshC2 can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.[1] |
| Enterprise | T1546 | .003 | 事件触发执行: Windows Management Instrumentation Event Subscription |
PoshC2 has the ability to persist on a system using WMI events.[1] |
| Enterprise | T1555 | 从密码存储中获取凭证 |
PoshC2 can decrypt passwords stored in the RDCMan configuration file.[2] |
|
| Enterprise | T1090 | 代理 |
PoshC2 contains modules that allow for use of proxies in command and control.[1] |
|
| Enterprise | T1550 | .002 | 使用备用认证材料: Pass the Hash |
PoshC2 has a number of modules that leverage pass the hash for lateral movement.[1] |
| Enterprise | T1482 | 域信任发现 | ||
| Enterprise | T1201 | 密码策略发现 |
PoshC2 can use |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
PoshC2 can use protocols like HTTP/HTTPS for command and control traffic.[1] |
| Enterprise | T1560 | .001 | 归档收集数据: Archive via Utility | |
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory |
PoshC2 contains an implementation of Mimikatz to gather credentials from memory.[1] |
| Enterprise | T1083 | 文件和目录发现 |
PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.[1] |
|
| Enterprise | T1110 | 暴力破解 |
PoshC2 has modules for brute forcing local administrator and AD user accounts.[1] |
|
| Enterprise | T1552 | .001 | 未加密凭证: Credentials In Files |
PoshC2 contains modules for searching for passwords in local and remote files.[1] |
| Enterprise | T1068 | 权限提升漏洞利用 |
PoshC2 contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099.[1] |
|
| Enterprise | T1069 | .001 | 权限组发现: Local Groups |
PoshC2 contains modules, such as |
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control | |
| Enterprise | T1082 | 系统信息发现 |
PoshC2 contains modules, such as |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
PoshC2 contains an implementation of PsExec for remote execution.[1] |
| Enterprise | T1007 | 系统服务发现 |
PoshC2 can enumerate service and service permission information.[1] |
|
| Enterprise | T1049 | 系统网络连接发现 |
PoshC2 contains an implementation of netstat to enumerate TCP and UDP connections.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 | ||
| Enterprise | T1040 | 网络嗅探 |
PoshC2 contains a module for taking packet captures on compromised hosts.[1] |
|
| Enterprise | T1046 | 网络服务发现 | ||
| Enterprise | T1119 | 自动化收集 |
PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers.[1] |
|
| Enterprise | T1134 | 访问令牌操控 |
PoshC2 can use Invoke-TokenManipulation for manipulating tokens.[1] |
|
| .002 | Create Process with Token | |||
| Enterprise | T1087 | .001 | 账号发现: Local Account |
PoshC2 can enumerate local and domain user account information.[1] |
| .002 | 账号发现: Domain Account |
PoshC2 can enumerate local and domain user account information.[1] |
||
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.[1] |
| Enterprise | T1055 | 进程注入 |
PoshC2 contains multiple modules for injecting into processes, such as |
|
| Enterprise | T1210 | 远程服务漏洞利用 |
PoshC2 contains a module for exploiting SMB via EternalBlue.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0064 | APT33 | |
| G0034 | Sandworm Team |
Sandworm Team has used multiple publicly available tools during operations, such as PoshC2.[5] |
| G1001 | HEXANE |
References
- Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
- SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
- Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.