PoshC2
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
PoshC2 can utilize multiple methods to bypass UAC.(Citation: GitHub PoshC2) |
| Enterprise | T1134 | .002 | Access Token Manipulation: Create Process with Token |
PoshC2 can use Invoke-RunAs to make tokens.(Citation: GitHub PoshC2) |
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
PoshC2 can enumerate local and domain user account information.(Citation: GitHub PoshC2) |
| .002 | Account Discovery: Domain Account |
PoshC2 can enumerate local and domain user account information.(Citation: GitHub PoshC2) |
||
| Enterprise | T1557 | .001 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
PoshC2 can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.(Citation: GitHub PoshC2) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
PoshC2 can use protocols like HTTP/HTTPS for command and control traffic.(Citation: GitHub PoshC2) |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
PoshC2 contains a module for compressing data using ZIP.(Citation: GitHub PoshC2) |
| Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
PoshC2 has the ability to persist on a system using WMI events.(Citation: GitHub PoshC2) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.(Citation: GitHub PoshC2) |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
PoshC2 contains an implementation of Mimikatz to gather credentials from memory.(Citation: GitHub PoshC2) |
| Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
PoshC2 contains modules, such as |
| Enterprise | T1569 | .002 | System Services: Service Execution |
PoshC2 contains an implementation of PsExec for remote execution.(Citation: GitHub PoshC2) |
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
PoshC2 contains modules for searching for passwords in local and remote files.(Citation: GitHub PoshC2) |
| Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
PoshC2 has a number of modules that leverage pass the hash for lateral movement.(Citation: GitHub PoshC2) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0064 | APT33 |
(Citation: FireEye APT33 Guardrail) (Citation: Symantec Elfin Mar 2019) |
| G1001 | HEXANE |
(Citation: SecureWorks August 2019) |
References
- Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
- Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.