SYMBOLCOMMON_NAMEaka. SYNONYMS
win.poshc2 (Back to overview)

PoshC2

Actor(s): APT33


PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement.

PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes PowerShell/C# and Python3 implants with payloads written in PowerShell v2 and v4, C++ and C# source code, a variety of executables, DLLs and raw shellcode in addition to a Python3 payload. These enable C2 functionality on a wide range of devices and operating systems, including Windows, *nix and OSX.

References
2022-09-06Check PointCheck Point Research
@online{research:20220906:dangeroussavanna:5bec8b7, author = {Check Point Research}, title = {{DangerousSavanna: Two-year long campaign targets financial institutions in French-speaking Africa}}, date = {2022-09-06}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/}, language = {English}, urldate = {2022-09-07} } DangerousSavanna: Two-year long campaign targets financial institutions in French-speaking Africa
AsyncRAT Meterpreter PoshC2 DangerousSavanna
2022-07-18CensysCensys
@techreport{censys:20220718:russian:dfd4246, author = {Censys}, title = {{Russian Ransomware C2 Network Discovered in Censys Data}}, date = {2022-07-18}, institution = {Censys}, url = {https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf}, language = {English}, urldate = {2022-07-25} } Russian Ransomware C2 Network Discovered in Censys Data
Cobalt Strike MimiKatz PoshC2
2021-09-06dbappsecurity猎影实验室
@online{:20210906:operation:3e2fd42, author = {猎影实验室}, title = {{假面行动(Operation MaskFace)-疑似针对境外银行的利用问卷调查为主题的钓鱼攻击事件分析}}, date = {2021-09-06}, organization = {dbappsecurity}, url = {https://ti.dbappsecurity.com.cn/blog/articles/2021/09/06/operation-maskface/}, language = {Chinese}, urldate = {2021-10-24} } 假面行动(Operation MaskFace)-疑似针对境外银行的利用问卷调查为主题的钓鱼攻击事件分析
PoshC2
2021-01-07Recorded FutureInsikt Group®
@techreport{group:20210107:aversary:9771829, author = {Insikt Group®}, title = {{Aversary Infrastructure Report 2020: A Defender's View}}, date = {2021-01-07}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf}, language = {English}, urldate = {2021-01-11} } Aversary Infrastructure Report 2020: A Defender's View
Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-06Red CanaryTony Lambert
@online{lambert:20210106:hunting:272410b, author = {Tony Lambert}, title = {{Hunting for GetSystem in offensive security tools}}, date = {2021-01-06}, organization = {Red Canary}, url = {https://redcanary.com/blog/getsystem-offsec/}, language = {English}, urldate = {2021-01-11} } Hunting for GetSystem in offensive security tools
Cobalt Strike Empire Downloader Meterpreter PoshC2
2020-08-20Seebug PaperMalayke
@online{malayke:20200820:use:77d3957, author = {Malayke}, title = {{Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks}}, date = {2020-08-20}, organization = {Seebug Paper}, url = {https://paper.seebug.org/1301/}, language = {Chinese}, urldate = {2020-08-24} } Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks
Cobalt Strike Empire Downloader PoshC2
2020-07-13FireEyeAndrew Thompson, Aaron Stephens
@online{thompson:20200713:scandalous:15d59a2, author = {Andrew Thompson and Aaron Stephens}, title = {{SCANdalous! (External Detection Using Network Scan Data and Automation)}}, date = {2020-07-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html}, language = {English}, urldate = {2020-07-15} } SCANdalous! (External Detection Using Network Scan Data and Automation)
POWERTON QUADAGENT PoshC2
2020-06-17Nettitude LabsRob Bone
@online{bone:20200617:detecting:be87469, author = {Rob Bone}, title = {{Detecting PoshC2 – Indicators of Compromise}}, date = {2020-06-17}, organization = {Nettitude Labs}, url = {https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/}, language = {English}, urldate = {2020-06-18} } Detecting PoshC2 – Indicators of Compromise
PoshC2
2020-01-17JPCERT/CCTakayoshi Shiigi
@techreport{shiigi:20200117:looking:bf71db1, author = {Takayoshi Shiigi}, title = {{Looking back on the incidents in 2019}}, date = {2020-01-17}, institution = {JPCERT/CC}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf}, language = {English}, urldate = {2020-04-06} } Looking back on the incidents in 2019
TSCookie NodeRAT Emotet PoshC2 Quasar RAT
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:8d36ac3, author = {SecureWorks}, title = {{COBALT TRINITY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-trinity}, language = {English}, urldate = {2020-05-23} } COBALT TRINITY
POWERTON pupy Imminent Monitor RAT Koadic Nanocore RAT NetWire RC PoshC2 APT33
2020-01-01Github (nettitude)Nettitude
@online{nettitude:20200101:repository:640d828, author = {Nettitude}, title = {{Repository for Python Server for PoshC2}}, date = {2020-01-01}, organization = {Github (nettitude)}, url = {https://github.com/nettitude/PoshC2_Python/}, language = {English}, urldate = {2020-01-08} } Repository for Python Server for PoshC2
PoshC2
2019-12-05Github (jeFF0Falltrades)Jeff Archer
@online{archer:20191205:poshc2:3066e19, author = {Jeff Archer}, title = {{PoshC2 (specifically as used by APT33)}}, date = {2019-12-05}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md}, language = {English}, urldate = {2020-01-06} } PoshC2 (specifically as used by APT33)
PoshC2
2019-11-18Rewterz Information SecurityRewterz Information Security
@online{security:20191118:rewterz:29686ba, author = {Rewterz Information Security}, title = {{REWTERZ THREAT ALERT – IRANIAN APT USES JOB SCAMS TO LURE TARGETS}}, date = {2019-11-18}, organization = {Rewterz Information Security}, url = {http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets}, language = {English}, urldate = {2019-12-17} } REWTERZ THREAT ALERT – IRANIAN APT USES JOB SCAMS TO LURE TARGETS
PoshC2
2018-12-21FireEyeGeoff Ackerman, Rick Cole, Andrew Thompson, Alex Orleans, Nick Carr
@online{ackerman:20181221:overruled:74ac7b4, author = {Geoff Ackerman and Rick Cole and Andrew Thompson and Alex Orleans and Nick Carr}, title = {{OVERRULED: Containing a Potentially Destructive Adversary}}, date = {2018-12-21}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html}, language = {English}, urldate = {2019-12-20} } OVERRULED: Containing a Potentially Destructive Adversary
POWERTON PoshC2 pupy

There is no Yara-Signature yet.