Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. PowerSploit

PowerSploit

PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]

ID: S0194
Type: TOOL
Platforms: Windows
Version: 1.2
Created: 18 April 2018
Last Modified: 28 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

PowerSploit's Invoke-TokenManipulation Exfiltration module can be used to manipulate tokens.[1][3]
Enterprise T1087 .001 Account Discovery: Local Account

PowerSploit's Get-ProcessTokenGroup Privesc-PowerUp module can enumerate all SIDs associated with its current token.[1][3]
Enterprise T1123 Audio Capture

PowerSploit's Get-MicrophoneAudio Exfiltration module can record system microphone audio.[1][3]
Enterprise T1547 .005 Boot or Logon Autostart Execution: Security Support Provider

PowerSploit's Install-SSP Persistence module can be used to establish by installing a SSP DLL.[1][3]
.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

PowerSploit's New-UserPersistenceOption Persistence argument can be used to establish via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.[1][3]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

PowerSploit modules are written in and executed via PowerShell.[1][3]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs.[1][3]
Enterprise T1555 Credentials from Password Stores

PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Windows vault credential objects.[1][3]
Enterprise T1005 Data from Local System

PowerSploit contains a collection of Exfiltration modules that can access data from local files, volumes, and processes.[1][3]
Enterprise T1482 Domain Trust Discovery

PowerSploit has modules such as Get-NetDomainTrust and Get-NetForestTrust to enumerate domain and forest trusts.[1][3]
Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes.[1][3]
.007 Hijack Execution Flow: Path Interception by PATH Environment Variable

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit path interception opportunities in the PATH environment variable.[1][3]
.008 Hijack Execution Flow: Path Interception by Search Order Hijacking

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit search order hijacking vulnerabilities.[1][3]
.009 Hijack Execution Flow: Path Interception by Unquoted Path

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit unquoted path vulnerabilities.[1][3]
Enterprise T1056 .001 Input Capture: Keylogging

PowerSploit's Get-Keystrokes Exfiltration module can log keystrokes.[1][3]
Enterprise T1027 Obfuscated Files or Information

PowerSploit contains a collection of ScriptModification modules that compress and encode scripts and payloads.[1][3]
.005 Indicator Removal from Tools

PowerSploit's Find-AVSignature AntivirusBypass module can be used to locate single byte anti-virus signatures.[1][3]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

PowerSploit contains a collection of Exfiltration modules that can harvest credentials using Mimikatz.[1][3]
Enterprise T1057 Process Discovery

PowerSploit's Get-ProcessTokenPrivilege Privesc-PowerUp module can enumerate privileges for a given process.[1][3]
Enterprise T1055 .002 Process Injection: Portable Executable Injection

PowerSploit reflectively loads a Windows PE file into a process.[1][3]
.001 Process Injection: Dynamic-link Library Injection

PowerSploit contains a collection of CodeExecution modules that inject code (DLL, shellcode) into a process.[1][3]
Enterprise T1012 Query Registry

PowerSploit contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opportunities.[1][3]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

PowerSploit's New-UserPersistenceOption Persistence argument can be used to establish via a Scheduled Task/Job.[1][3]
Enterprise T1113 Screen Capture

PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals.[1][3]
Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

PowerSploit's Invoke-Kerberoast module can request service tickets and return crackable ticket hashes.[4][5]
Enterprise T1552 .002 Unsecured Credentials: Credentials in Registry

PowerSploit has several modules that search the Windows Registry for stored credentials: Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, Get-CachedGPPPassword, and Get-RegistryAutoLogon.[6]
.006 Unsecured Credentials: Group Policy Preferences

PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences.[1][3]
Enterprise T1047 Windows Management Instrumentation

PowerSploit's Invoke-WmiCommand CodeExecution module uses WMI to execute and retrieve the output from a PowerShell payload.[1][3]

Groups That Use This Software

ID Name References
G0045 menuPass

[7]
G0040 Patchwork

[8]
G0064 APT33

[9]
G0096 APT41

[10]
G0069 MuddyWater

[11]

References

  1. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  2. Graeber, M. (2014, July 8). PowerSploit. Retrieved February 6, 2018.
  3. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  4. Schroeder, W. & Hart M. (2016, October 31). Invoke-Kerberoast. Retrieved March 23, 2018.
  5. Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved March 23, 2018.
  6. netbiosX. (2017, April 19). Stored Credentials. Retrieved April 6, 2018.
  1. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  2. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  3. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  4. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  5. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.