Software: PowerSploit

From enterprise
Jump to: navigation, search
PowerSploit
Software
ID S0194
Aliases PowerSploit
Type Tool
Platform Windows

PowerSploit is an open source, offensive security framework compromised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration.123

Techniques Used

  • Process Injection - PowerSploit contains a collection of CodeExecution modules that enable Execution by injecting code (DLL, shellcode) or reflectively loading a Windows PE file into a process.13
  • Access Token Manipulation - PowerSploit's Invoke-TokenManipulation Exfiltration module can be used to locate and impersonate user logon tokens.13
  • Data from Local System - PowerSploit contains a collection of Exfiltration modules that can access data from local files, volumes, and processes.13
  • Credential Dumping - PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences, Windows vault credential objects, or using Mimikatz.13
  • Audio Capture - PowerSploit's Get-MicrophoneAudio Exfiltration module can record system microphone audio.13
  • Screen Capture - PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals.13
  • Input Capture - PowerSploit's Get-Keystrokes Exfiltration module can log keystrokes.13
  • Account Discovery - PowerSploit's Get-ProcessTokenGroup Privesc-PowerUp module can enumerate all SIDs associated with its current token.13
  • Process Discovery - PowerSploit's Get-ProcessTokenPrivilege Privesc-PowerUp module can enumerate privileges for a given process.13
  • Modify Existing Service - PowerSploit contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs.13
  • DLL Search Order Hijacking - PowerSploit contains a collection of Privesc-PowerUp modules that can discover DLL hijacking opportunities in services and processes.13
  • Kerberoasting - PowerSploit's Invoke-Kerberoast module can request service tickets and return crackable ticket hashes.45
  • Credentials in Registry - PowerSploit has several modules that search the Windows Registry for stored credentials: Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, Get-CachedGPPPassword, and Get-RegistryAutoLogon.6

Groups

The following groups use this software: