PowerSploit
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
PowerSploit's |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
PowerSploit's |
.005 | Boot or Logon Autostart Execution: Security Support Provider |
PowerSploit's |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
PowerSploit modules are written in and executed via PowerShell.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation) |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
PowerSploit contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation) |
Enterprise | T1555 | .004 | Credentials from Password Stores: Windows Credential Manager |
PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Windows vault credential objects.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation) |
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation) |
.007 | Hijack Execution Flow: Path Interception by PATH Environment Variable |
PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit path interception opportunities in the PATH environment variable.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation) |
||
.008 | Hijack Execution Flow: Path Interception by Search Order Hijacking |
PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit search order hijacking vulnerabilities.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation) |
||
.009 | Hijack Execution Flow: Path Interception by Unquoted Path |
PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit unquoted path vulnerabilities.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation) |
||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
PowerSploit's |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
PowerSploit contains a collection of Exfiltration modules that can harvest credentials using Mimikatz.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation) |
Enterprise | T1027 | .005 | Obfuscated Files or Information: Indicator Removal from Tools |
PowerSploit's |
.010 | Obfuscated Files or Information: Command Obfuscation |
PowerSploit contains a collection of ScriptModification modules that compress and encode scripts and payloads.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation) |
||
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
PowerSploit contains a collection of CodeExecution modules that inject code (DLL, shellcode) into a process.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
PowerSploit's |
Enterprise | T1558 | .003 | Steal or Forge Kerberos Tickets: Kerberoasting |
PowerSploit's |
Enterprise | T1552 | .002 | Unsecured Credentials: Credentials in Registry |
PowerSploit has several modules that search the Windows Registry for stored credentials: |
.006 | Unsecured Credentials: Group Policy Preferences |
PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
(Citation: BlackBerry CostaRicto November 2020) |
||
G0064 | APT33 |
(Citation: FireEye APT33 Guardrail) |
G1006 | Earth Lusca |
(Citation: TrendMicro EarthLusca 2022) |
G0096 | APT41 |
(Citation: FireEye APT41 Aug 2019) |
G0069 | MuddyWater |
(Citation: TrendMicro POWERSTATS V3 June 2019) |
(Citation: FoxIT Wocao December 2019) |
||
G0046 | FIN7 |
(Citation: Mandiant FIN7 Apr 2022) (Citation: CrowdStrike Carbon Spider August 2021) |
G0045 | menuPass |
(Citation: PWC Cloud Hopper Technical Annex April 2017) |
G0065 | Leviathan |
(Citation: CISA AA21-200A APT40 July 2021) |
G0116 | Operation Wocao |
(Citation: FoxIT Wocao December 2019) |
G0092 | TA505 |
(Citation: NCC Group TA505) |
G0040 | Patchwork |
(Citation: Cymmetria Patchwork) |
References
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
- PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
- Graeber, M. (2014, July 8). PowerSploit. Retrieved February 6, 2018.
- The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
- Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
- netbiosX. (2017, April 19). Stored Credentials. Retrieved April 6, 2018.
- Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
- Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
- Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved September 23, 2024.
- Schroeder, W. & Hart M. (2016, October 31). Invoke-Kerberoast. Retrieved March 23, 2018.
- Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
- Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.