Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

PowerSploit

PowerSploit is an open source, offensive security framework compromised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]

ID: S0194
Aliases: PowerSploit
Type: TOOL
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1134Access Token ManipulationPowerSploit's Invoke-TokenManipulation Exfiltration module can be used to locate and impersonate user logon tokens.[1][3]
EnterpriseT1087Account DiscoveryPowerSploit's Get-ProcessTokenGroup Privesc-PowerUp module can enumerate all SIDs associated with its current token.[1][3]
EnterpriseT1123Audio CapturePowerSploit's Get-MicrophoneAudio Exfiltration module can record system microphone audio.[1][3]
EnterpriseT1003Credential DumpingPowerSploit contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences, Windows vault credential objects, or using Mimikatz.[1][3]
EnterpriseT1214Credentials in RegistryPowerSploit has several modules that search the Windows Registry for stored credentials: Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, Get-CachedGPPPassword, and Get-RegistryAutoLogon.[4]
EnterpriseT1005Data from Local SystemPowerSploit contains a collection of Exfiltration modules that can access data from local files, volumes, and processes.[1][3]
EnterpriseT1038DLL Search Order HijackingPowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes.[1][3]
EnterpriseT1066Indicator Removal from ToolsPowerSploit's Find-AVSignature AntivirusBypass module can be used to locate single byte anti-virus signatures.[1][3]
EnterpriseT1056Input CapturePowerSploit's Get-Keystrokes Exfiltration module can log keystrokes.[1][3]
EnterpriseT1208KerberoastingPowerSploit's Invoke-Kerberoast module can request service tickets and return crackable ticket hashes.[5][6]
EnterpriseT1031Modify Existing ServicePowerSploit contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs.[1][3]
EnterpriseT1027Obfuscated Files or InformationPowerSploit contains a collection of ScriptModification modules that compress and encode scripts and payloads.[1][3]
EnterpriseT1034Path InterceptionPowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit various path interception opportunities in services, processes, and variables.[1][3]
EnterpriseT1086PowerShellPowerSploit modules are written in and executed via PowerShell.[1][3]
EnterpriseT1057Process DiscoveryPowerSploit's Get-ProcessTokenPrivilege Privesc-PowerUp module can enumerate privileges for a given process.[1][3]
EnterpriseT1055Process InjectionPowerSploit contains a collection of CodeExecution modules that enable by injecting code (DLL, shellcode) or reflectively loading a Windows PE file into a process.[1][3]
EnterpriseT1012Query RegistryPowerSploit contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opportunities.[1][3]
EnterpriseT1060Registry Run Keys / Startup FolderPowerSploit's New-UserPersistenceOption Persistence argument can be used to establish via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.[1][3]
EnterpriseT1053Scheduled TaskPowerSploit's New-UserPersistenceOption Persistence argument can be used to establish via a Scheduled Task.[1][3]
EnterpriseT1113Screen CapturePowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals.[1][3]
EnterpriseT1101Security Support ProviderPowerSploit's Install-SSP Persistence module can be used to establish by installing a SSP DLL.[1][3]
EnterpriseT1047Windows Management InstrumentationPowerSploit's Invoke-WmiCommand CodeExecution module uses WMI to execute and retrieve the output from a PowerShell payload.[1][3]

Groups

Groups that use this software:

menuPass
Patchwork

References