Skip to content

S0194 PowerSploit

PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. 2 1 3

Item Value
ID S0194
Associated Names
Type TOOL
Version 1.6
Created 18 April 2018
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation PowerSploit‘s Invoke-TokenManipulation Exfiltration module can be used to manipulate tokens.23
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account PowerSploit‘s Get-ProcessTokenGroup Privesc-PowerUp module can enumerate all SIDs associated with its current token.23
enterprise T1123 Audio Capture PowerSploit‘s Get-MicrophoneAudio Exfiltration module can record system microphone audio.23
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder PowerSploit‘s New-UserPersistenceOption Persistence argument can be used to establish via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.23
enterprise T1547.005 Security Support Provider PowerSploit‘s Install-SSP Persistence module can be used to establish by installing a SSP DLL.23
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell PowerSploit modules are written in and executed via PowerShell.23
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service PowerSploit contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs.23
enterprise T1555 Credentials from Password Stores -
enterprise T1555.004 Windows Credential Manager PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Windows vault credential objects.23
enterprise T1005 Data from Local System PowerSploit contains a collection of Exfiltration modules that can access data from local files, volumes, and processes.23
enterprise T1482 Domain Trust Discovery PowerSploit has modules such as Get-NetDomainTrust and Get-NetForestTrust to enumerate domain and forest trusts.23
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes.23
enterprise T1574.007 Path Interception by PATH Environment Variable PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit path interception opportunities in the PATH environment variable.23
enterprise T1574.008 Path Interception by Search Order Hijacking PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit search order hijacking vulnerabilities.23
enterprise T1574.009 Path Interception by Unquoted Path PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit unquoted path vulnerabilities.23
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging PowerSploit‘s Get-Keystrokes Exfiltration module can log keystrokes.23
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.005 Indicator Removal from Tools PowerSploit‘s Find-AVSignature AntivirusBypass module can be used to locate single byte anti-virus signatures.23
enterprise T1027.010 Command Obfuscation PowerSploit contains a collection of ScriptModification modules that compress and encode scripts and payloads.23
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory PowerSploit contains a collection of Exfiltration modules that can harvest credentials using Mimikatz.23
enterprise T1057 Process Discovery PowerSploit‘s Get-ProcessTokenPrivilege Privesc-PowerUp module can enumerate privileges for a given process.23
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection PowerSploit contains a collection of CodeExecution modules that inject code (DLL, shellcode) into a process.23
enterprise T1012 Query Registry PowerSploit contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opportunities.23
enterprise T1620 Reflective Code Loading PowerSploit reflectively loads a Windows PE file into a process.23
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task PowerSploit‘s New-UserPersistenceOption Persistence argument can be used to establish via a Scheduled Task/Job.23
enterprise T1113 Screen Capture PowerSploit‘s Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals.23
enterprise T1558 Steal or Forge Kerberos Tickets -
enterprise T1558.003 Kerberoasting PowerSploit‘s Invoke-Kerberoast module can request service tickets and return crackable ticket hashes.56
enterprise T1552 Unsecured Credentials -
enterprise T1552.002 Credentials in Registry PowerSploit has several modules that search the Windows Registry for stored credentials: Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, Get-CachedGPPPassword, and Get-RegistryAutoLogon.4
enterprise T1552.006 Group Policy Preferences PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences.23
enterprise T1047 Windows Management Instrumentation PowerSploit‘s Invoke-WmiCommand CodeExecution module uses WMI to execute and retrieve the output from a PowerShell payload.23

Groups That Use This Software

ID Name References
G0069 MuddyWater 9
G0040 Patchwork 10
G0096 APT41 11
G0045 menuPass 12
G0064 APT33 13
G0092 TA505 14
G0046 FIN7 15
G1006 Earth Lusca 16
G0065 Leviathan 17

References

  1. Graeber, M. (2014, July 8). PowerSploit. Retrieved February 6, 2018. 

  2. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. 

  3. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. 

  4. netbiosX. (2017, April 19). Stored Credentials. Retrieved April 6, 2018. 

  5. Schroeder, W. & Hart M. (2016, October 31). Invoke-Kerberoast. Retrieved March 23, 2018. 

  6. Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved March 23, 2018. 

  7. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  8. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  9. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. 

  10. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016. 

  11. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  12. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  13. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. 

  14. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022. 

  15. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  16. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  17. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.