{"description": "Enterprise techniques used by PoshC2, ATT&CK software S0378 (v1.3)", "name": "PoshC2 (S0378)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) can utilize multiple methods to bypass UAC.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) can use Invoke-TokenManipulation for manipulating tokens.(Citation: GitHub PoshC2)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1134.002", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) can use Invoke-RunAs to make tokens.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) can enumerate local and domain user account information.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) can enumerate local and domain user account information.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1557", "showSubtechniques": true}, {"techniqueID": "T1557.001", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) can use protocols like HTTP/HTTPS for command and control traffic.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) contains a module for compressing data using ZIP.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) contains a module for recursively parsing through files and directories to gather valid credit card numbers.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1110", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) has modules for brute forcing local administrator and AD user accounts.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1555", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) can decrypt passwords stored in the RDCMan configuration file.(Citation: SecureWorks August 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1482", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) has modules for enumerating domain trusts.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.003", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) has the ability to persist on a system using WMI events.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1068", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1210", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) contains a module for exploiting SMB via EternalBlue.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) can enumerate files on the local file system and includes a module for enumerating recently accessed files.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1046", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) can perform port scans from an infected host.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1040", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) contains a module for taking packet captures on compromised hosts.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) contains an implementation of [Mimikatz](https://attack.mitre.org/software/S0002) to gather credentials from memory.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1201", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) can use Get-PassPol to enumerate the domain password policy.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.001", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) contains modules, such as Get-LocAdm for enumerating permission groups.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) contains multiple modules for injecting into processes, such as Invoke-PSInject.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) contains modules that allow for use of proxies in command and control.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) contains modules, such as Get-ComputerInfo, for enumerating common system information.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) can enumerate network adapter information.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) contains an implementation of [netstat](https://attack.mitre.org/software/S0104) to enumerate TCP and UDP connections.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) can enumerate service and service permission information.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) contains an implementation of [PsExec](https://attack.mitre.org/software/S0029) for remote execution.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) contains modules for searching for passwords in local and remote files.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550", "showSubtechniques": true}, {"techniqueID": "T1550.002", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) has a number of modules that leverage pass the hash for lateral movement.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[PoshC2](https://attack.mitre.org/software/S0378) has a number of modules that use WMI to execute tasks.(Citation: GitHub PoshC2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by PoshC2", "color": "#66b1ff"}]}