S0378: PoshC2
PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[1]
Analyst context for executives and security teams
PoshC2 matters because it is a publicly available remote administration and post-exploitation framework with PowerShell-based implants and cross-platform elements. For leaders, the risk is not the tool name alone; it is the range of behaviors ATT&CK associates with it: credential access, discovery, privilege escalation, collection, command-and-control over web protocols, and proxying. Its presence or suspected use should trigger validation of endpoint, identity, and network visibility across Windows first, with Linux and macOS considered where relevant.
Executive priority
Prioritize PoshC2 as a readiness and resilience issue: can the organization rapidly confirm whether credential material, local/domain account information, network topology, and sensitive files were accessed after an endpoint compromise? Because ATT&CK links this tool to use by Sandworm Team, APT33, and HEXANE, it is relevant for threat-informed defense programs, especially in sectors or geographies that track those groups. Budget and control decisions should focus on credential protection, PowerShell and process behavior visibility, network egress monitoring, and incident response evidence retention rather than relying on tool-name detections.
Technical view
ATT&CK does not provide a dedicated detection section for PoshC2, so SOC and IR teams should validate coverage through the techniques mapped to the tool. On Windows, focus on PowerShell execution, LSASS memory access, WMI execution, token manipulation, process injection, local/domain account and group enumeration, service discovery, file and directory discovery, and web-based command-and-control. Across Linux and macOS, validate telemetry for service, account, network configuration, network connection, file, and system discovery, plus signs of network sniffing, proxy use, brute force activity, and automated collection. Treat detections as behavior chains rather than single alerts: discovery followed by credential access, privilege escalation, collection, and web/proxy C2 is more decision-useful than any one event in isolation.
Likely telemetry
- Endpoint process creation and command-line telemetry, especially PowerShell on Windows
- PowerShell script block/module logging or equivalent PowerShell activity records where enabled
- Windows security events and endpoint telemetry for LSASS access, token use, privilege changes, and suspicious child processes
- WMI activity logs and process lineage for local or remote command execution
- Account and group enumeration evidence from host logs, identity logs, and command execution records
Detection direction
- Build detections around ATT&CK-mapped behaviors rather than the PoshC2 name, because the official object provides no detection guidance.
- Correlate PowerShell activity with follow-on discovery, credential access, WMI execution, token manipulation, process injection, collection, and outbound web/proxy communications.
- Tune discovery detections carefully: commands that enumerate services, accounts, files, and network settings can be legitimate administrative activity, so prioritize unusual users, hosts, timing, parent processes, and sequences.
- Validate whether LSASS access and credential dumping controls generate actionable telemetry, not just prevention events.
- Review HTTP/S and proxy egress for unusual destinations, uncommon clients, abnormal beacon-like patterns, or endpoint-to-endpoint proxy behavior, while accounting for normal enterprise web traffic volume.
Mitigation priorities
- Harden credential exposure first: restrict administrative privileges, protect LSASS where applicable, and monitor privileged account use.
- Improve PowerShell governance and logging on Windows, including visibility into script execution and suspicious process lineage.
- Reduce lateral movement and remote execution opportunity by tightening WMI and administrative access paths to only required users and systems.
- Apply least privilege and strong authentication controls to reduce the value of account discovery and brute force attempts.
- Maintain vulnerability and patch management discipline to reduce opportunities for exploitation-based privilege escalation.
Analyst notes and limits
The official description identifies PoshC2 as an open source remote administration and post-exploitation framework with Python server-side components, PowerShell implants, primary Windows focus, and a basic Python dropper for Linux/macOS. ATT&CK relationships map it to multiple techniques across credential access, discovery, execution, privilege escalation, stealth, collection, and command-and-control, and to use by Sandworm Team, APT33, and HEXANE. These relationships support threat-informed detection engineering but should not be treated as automatic attribution.
ATT&CK provides no official detection text for this software object, and the supplied fields do not include indicators, default infrastructure, specific commands, or confirmed active exploitation. Defensive conclusions must be validated against the organization’s actual platforms, logging configuration, administrative baselines, and incident evidence.
PoshC2
PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | PoshC2 can enumerate network adapter information.CitationGitHub PoshC2 |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | PoshC2 contains modules for searching for passwords in local and remote files.CitationGitHub PoshC2 |
| Enterprise | T1557.001 | Name Resolution Poisoning and SMB Relay Sub-technique | PoshC2 can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.CitationGitHub PoshC2 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | PoshC2 can use protocols like HTTP/HTTPS for command and control traffic.CitationGitHub PoshC2 |
| Enterprise | T1047 | Windows Management Instrumentation | PoshC2 has a number of modules that use WMI to execute tasks.CitationGitHub PoshC2 |
| Enterprise | T1049 | System Network Connections Discovery | |
| Enterprise | T1068 | Exploitation for Privilege Escalation | PoshC2 contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099.CitationGitHub PoshC2 |
| Enterprise | T1007 | System Service Discovery | PoshC2 can enumerate service and service permission information.CitationGitHub PoshC2 |
| Enterprise | T1134.002 | Create Process with Token Sub-technique | PoshC2 can use Invoke-RunAs to make tokens.CitationGitHub PoshC2 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | PoshC2 can utilize multiple methods to bypass UAC.CitationGitHub PoshC2 |
| Enterprise | T1569.002 | Service Execution Sub-technique | |
| Enterprise | T1087.001 | Local Account Sub-technique | PoshC2 can enumerate local and domain user account information.CitationGitHub PoshC2 |
| Enterprise | T1119 | Automated Collection | PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers.CitationGitHub PoshC2 |
| Enterprise | T1082 | System Information Discovery | PoshC2 contains modules, such as |
| Enterprise | T1056.001 | Keylogging Sub-technique | PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.CitationGitHub PoshC2 |
| Enterprise | T1087.002 | Domain Account Sub-technique | PoshC2 can enumerate local and domain user account information.CitationGitHub PoshC2 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | PoshC2 contains a module for compressing data using ZIP.CitationGitHub PoshC2 |
| Enterprise | T1550.002 | Pass the Hash Sub-technique | PoshC2 has a number of modules that leverage pass the hash for lateral movement.CitationGitHub PoshC2 |
| Enterprise | T1069.001 | Local Groups Sub-technique | PoshC2 contains modules, such as |
| Enterprise | T1083 | File and Directory Discovery | PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.CitationGitHub PoshC2 |
| Enterprise | T1090 | Proxy | PoshC2 contains modules that allow for use of proxies in command and control.CitationGitHub PoshC2 |
| Enterprise | T1110 | Brute Force | PoshC2 has modules for brute forcing local administrator and AD user accounts.CitationGitHub PoshC2 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1055 | Process Injection | PoshC2 contains multiple modules for injecting into processes, such as |
| Enterprise | T1210 | Exploitation of Remote Services | PoshC2 contains a module for exploiting SMB via EternalBlue.CitationGitHub PoshC2 |
| Enterprise | T1482 | Domain Trust Discovery | PoshC2 has modules for enumerating domain trusts.CitationGitHub PoshC2 |
| Enterprise | T1134 | Access Token Manipulation | PoshC2 can use Invoke-TokenManipulation for manipulating tokens.CitationGitHub PoshC2 |
| Enterprise | T1046 | Network Service Discovery | PoshC2 can perform port scans from an infected host.CitationGitHub PoshC2 |
| Enterprise | T1555 | Credentials from Password Stores | PoshC2 can decrypt passwords stored in the RDCMan configuration file.CitationSecureWorks August 2019 |
| Enterprise | T1040 | Network Sniffing | PoshC2 contains a module for taking packet captures on compromised hosts.CitationGitHub PoshC2 |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | PoshC2 has the ability to persist on a system using WMI events.CitationGitHub PoshC2 |
| Enterprise | T1201 | Password Policy Discovery | PoshC2 can use |
Groups, software, and campaigns
G0064: APT33
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
G1001: HEXANE
HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 44d6967fd5a7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
GitHub PoshC2
Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
Open source URL -
[2]
mitre-attack S0378Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.