PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | Access Token Manipulation |
PowerSploit's |
|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
PowerSploit's |
Enterprise | T1123 | Audio Capture |
PowerSploit's |
|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
PowerSploit's |
.005 | Boot or Logon Autostart Execution: Security Support Provider |
PowerSploit's |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
PowerSploit modules are written in and executed via PowerShell.[1][3] |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
PowerSploit contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs.[1][3] |
Enterprise | T1555 | .004 | Credentials from Password Stores: Windows Credential Manager |
PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Windows vault credential objects.[1][3] |
Enterprise | T1005 | Data from Local System |
PowerSploit contains a collection of Exfiltration modules that can access data from local files, volumes, and processes.[1][3] |
|
Enterprise | T1482 | Domain Trust Discovery |
PowerSploit has modules such as |
|
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes.[1][3] |
.007 | Hijack Execution Flow: Path Interception by PATH Environment Variable |
PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit path interception opportunities in the PATH environment variable.[1][3] |
||
.008 | Hijack Execution Flow: Path Interception by Search Order Hijacking |
PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit search order hijacking vulnerabilities.[1][3] |
||
.009 | Hijack Execution Flow: Path Interception by Unquoted Path |
PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit unquoted path vulnerabilities.[1][3] |
||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
PowerSploit's |
Enterprise | T1027 | Obfuscated Files or Information |
PowerSploit contains a collection of ScriptModification modules that compress and encode scripts and payloads.[1][3] |
|
.005 | Indicator Removal from Tools |
PowerSploit's |
||
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
PowerSploit contains a collection of Exfiltration modules that can harvest credentials using Mimikatz.[1][3] |
Enterprise | T1057 | Process Discovery |
PowerSploit's |
|
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
PowerSploit contains a collection of CodeExecution modules that inject code (DLL, shellcode) into a process.[1][3] |
Enterprise | T1012 | Query Registry |
PowerSploit contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opportunities.[1][3] |
|
Enterprise | T1620 | Reflective Code Loading |
PowerSploit reflectively loads a Windows PE file into a process.[1][3] |
|
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
PowerSploit's |
Enterprise | T1113 | Screen Capture |
PowerSploit's |
|
Enterprise | T1558 | .003 | Steal or Forge Kerberos Tickets: Kerberoasting |
PowerSploit's |
Enterprise | T1552 | .002 | Unsecured Credentials: Credentials in Registry |
PowerSploit has several modules that search the Windows Registry for stored credentials: |
.006 | Unsecured Credentials: Group Policy Preferences |
PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences.[1][3] |
||
Enterprise | T1047 | Windows Management Instrumentation |
PowerSploit's |
ID | Name | References |
---|---|---|
G0045 | menuPass | |
G0040 | Patchwork | |
G0064 | APT33 | |
G0096 | APT41 | |
G0069 | MuddyWater | |
G0116 | Operation Wocao | |
G0132 | CostaRicto | |
G0065 | Leviathan | |
G0046 | FIN7 |