ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

PoshC2 TLS Connection

Risk Factors

PoshC2 is a publicly available and well-known tool associated with pen testing, security assessments, and persistent, planned attacks. Through a persistent C&C channel, an attacker can remotely control a device and gain an entry point for further attacks on the network.

Kill Chain

Command-and-Control

Risk Score

60

Detection diagram
Next in Command-and-Control: Redline Stealer HTTP Activity

Attack Background

PoshC2 is a post-exploitation framework that is often associated with malicious activity. The PoshC2 framework enables an attacker to disguise C&C communications as legitimate traffic from a PoshC2 agent installed on the victim device. After the victim establishes a successful TLS connection with the C&C server, the victim and the C&C server exchange HTTP requests and responses. HTTP responses from the C&C server include tasks such as "sleep" or "run command." HTTP requests from the victim include encrypted information such as metadata or command output.

Mitigation Options

Quarantine the device while checking for the presence of malware

Monitor and investigate unusual network activity for lateral movement or data exfiltration

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right