Tool: PowerSploit

Description

[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)

External References

• mitre-attack
• PowerShellMagazine PowerSploit July 2014
• GitHub PowerSploit May 2012
• PowerSploit Documentation

Techniques Used by This Tool

• T1003.001 — LSASS Memory
• T1005 — Data from Local System
• T1012 — Query Registry
• T1027.005 — Indicator Removal from Tools
• T1027.010 — Command Obfuscation
• T1047 — Windows Management Instrumentation
• T1053.005 — Scheduled Task
• T1055.001 — Dynamic-link Library Injection
• T1056.001 — Keylogging
• T1057 — Process Discovery
• T1059.001 — PowerShell
• T1087.001 — Local Account
• T1113 — Screen Capture
• T1123 — Audio Capture
• T1134 — Access Token Manipulation
• T1482 — Domain Trust Discovery
• T1543.003 — Windows Service
• T1547.001 — Registry Run Keys / Startup Folder
• T1547.005 — Security Support Provider
• T1552.002 — Credentials in Registry
• T1552.006 — Group Policy Preferences
• T1555.004 — Windows Credential Manager
• T1558.003 — Kerberoasting
• T1574.001 — DLL
• T1574.007 — Path Interception by PATH Environment Variable
• T1574.008 — Path Interception by Search Order Hijacking
• T1574.009 — Path Interception by Unquoted Path
• T1620 — Reflective Code Loading

APT Groups Using This Tool

• FIN7
• TA505
• Earth Lusca
• Patchwork
• MuddyWater
• Leviathan
• menuPass
• APT41
• APT33