S0194 PowerSploit
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. 1 2 3
| Item | Value |
|---|---|
| ID | S0194 |
| Associated Names | |
| Type | TOOL |
| Version | 1.4 |
| Created | 18 April 2018 |
| Last Modified | 05 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | PowerSploit‘s Invoke-TokenManipulation Exfiltration module can be used to manipulate tokens.13 |
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | PowerSploit‘s Get-ProcessTokenGroup Privesc-PowerUp module can enumerate all SIDs associated with its current token.13 |
| enterprise | T1123 | Audio Capture | PowerSploit‘s Get-MicrophoneAudio Exfiltration module can record system microphone audio.13 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | PowerSploit‘s New-UserPersistenceOption Persistence argument can be used to establish via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.13 |
| enterprise | T1547.005 | Security Support Provider | PowerSploit‘s Install-SSP Persistence module can be used to establish by installing a SSP DLL.13 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | PowerSploit modules are written in and executed via PowerShell.13 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | PowerSploit contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs.13 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.004 | Windows Credential Manager | PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Windows vault credential objects.13 |
| enterprise | T1005 | Data from Local System | PowerSploit contains a collection of Exfiltration modules that can access data from local files, volumes, and processes.13 |
| enterprise | T1482 | Domain Trust Discovery | PowerSploit has modules such as Get-NetDomainTrust and Get-NetForestTrust to enumerate domain and forest trusts.13 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL Search Order Hijacking | PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes.13 |
| enterprise | T1574.007 | Path Interception by PATH Environment Variable | PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit path interception opportunities in the PATH environment variable.13 |
| enterprise | T1574.008 | Path Interception by Search Order Hijacking | PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit search order hijacking vulnerabilities.13 |
| enterprise | T1574.009 | Path Interception by Unquoted Path | PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit unquoted path vulnerabilities.13 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | PowerSploit‘s Get-Keystrokes Exfiltration module can log keystrokes.13 |
| enterprise | T1027 | Obfuscated Files or Information | PowerSploit contains a collection of ScriptModification modules that compress and encode scripts and payloads.13 |
| enterprise | T1027.005 | Indicator Removal from Tools | PowerSploit‘s Find-AVSignature AntivirusBypass module can be used to locate single byte anti-virus signatures.13 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | PowerSploit contains a collection of Exfiltration modules that can harvest credentials using Mimikatz.13 |
| enterprise | T1057 | Process Discovery | PowerSploit‘s Get-ProcessTokenPrivilege Privesc-PowerUp module can enumerate privileges for a given process.13 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | PowerSploit contains a collection of CodeExecution modules that inject code (DLL, shellcode) into a process.13 |
| enterprise | T1012 | Query Registry | PowerSploit contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opportunities.13 |
| enterprise | T1620 | Reflective Code Loading | PowerSploit reflectively loads a Windows PE file into a process.13 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | PowerSploit‘s New-UserPersistenceOption Persistence argument can be used to establish via a Scheduled Task/Job.13 |
| enterprise | T1113 | Screen Capture | PowerSploit‘s Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals.13 |
| enterprise | T1558 | Steal or Forge Kerberos Tickets | - |
| enterprise | T1558.003 | Kerberoasting | PowerSploit‘s Invoke-Kerberoast module can request service tickets and return crackable ticket hashes.56 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.002 | Credentials in Registry | PowerSploit has several modules that search the Windows Registry for stored credentials: Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, Get-CachedGPPPassword, and Get-RegistryAutoLogon.4 |
| enterprise | T1552.006 | Group Policy Preferences | PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences.13 |
| enterprise | T1047 | Windows Management Instrumentation | PowerSploit‘s Invoke-WmiCommand CodeExecution module uses WMI to execute and retrieve the output from a PowerShell payload.13 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0040 | Patchwork | 7 |
| G0116 | Operation Wocao | 8 |
| G0069 | MuddyWater | 9 |
| G0046 | FIN7 | 10 |
| G0065 | Leviathan | 11 |
| G0064 | APT33 | 12 |
| G0045 | menuPass | 13 |
| G0096 | APT41 | 14 |
| G0132 | CostaRicto | 15 |
References
-
PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Graeber, M. (2014, July 8). PowerSploit. Retrieved February 6, 2018. ↩
-
PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
netbiosX. (2017, April 19). Stored Credentials. Retrieved April 6, 2018. ↩
-
Schroeder, W. & Hart M. (2016, October 31). Invoke-Kerberoast. Retrieved March 23, 2018. ↩
-
Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved March 23, 2018. ↩
-
Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016. ↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩
-
Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. ↩
-
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. ↩
-
CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department.. Retrieved August 12, 2021. ↩
-
Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. ↩
-
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. ↩
-
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. ↩
-
The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. ↩