Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

PowerSploit

PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)
ID: S0194
Type: TOOL
Platforms: Windows
Version: 1.6
Created: 18 Apr 2018
Last Modified: 17 Aug 2023

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

PowerSploit's Get-ProcessTokenGroup Privesc-PowerUp module can enumerate all SIDs associated with its current token.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

PowerSploit's New-UserPersistenceOption Persistence argument can be used to establish via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

.005 Boot or Logon Autostart Execution: Security Support Provider

PowerSploit's Install-SSP Persistence module can be used to establish by installing a SSP DLL.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

PowerSploit modules are written in and executed via PowerShell.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

Enterprise T1555 .004 Credentials from Password Stores: Windows Credential Manager

PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Windows vault credential objects.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

.007 Hijack Execution Flow: Path Interception by PATH Environment Variable

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit path interception opportunities in the PATH environment variable.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

.008 Hijack Execution Flow: Path Interception by Search Order Hijacking

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit search order hijacking vulnerabilities.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

.009 Hijack Execution Flow: Path Interception by Unquoted Path

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit unquoted path vulnerabilities.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

Enterprise T1056 .001 Input Capture: Keylogging

PowerSploit's Get-Keystrokes Exfiltration module can log keystrokes.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

PowerSploit contains a collection of Exfiltration modules that can harvest credentials using Mimikatz.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

PowerSploit's Find-AVSignature AntivirusBypass module can be used to locate single byte anti-virus signatures.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

.010 Obfuscated Files or Information: Command Obfuscation

PowerSploit contains a collection of ScriptModification modules that compress and encode scripts and payloads.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

PowerSploit contains a collection of CodeExecution modules that inject code (DLL, shellcode) into a process.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

PowerSploit's New-UserPersistenceOption Persistence argument can be used to establish via a Scheduled Task/Job.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

PowerSploit's Invoke-Kerberoast module can request service tickets and return crackable ticket hashes.(Citation: PowerSploit Invoke Kerberoast)(Citation: Harmj0y Kerberoast Nov 2016)

Enterprise T1552 .002 Unsecured Credentials: Credentials in Registry

PowerSploit has several modules that search the Windows Registry for stored credentials: Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, Get-CachedGPPPassword, and Get-RegistryAutoLogon.(Citation: Pentestlab Stored Credentials)

.006 Unsecured Credentials: Group Policy Preferences

PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

Groups That Use This Software

ID Name References

(Citation: BlackBerry CostaRicto November 2020)

G0064 APT33

(Citation: FireEye APT33 Guardrail)

G1006 Earth Lusca

(Citation: TrendMicro EarthLusca 2022)

G0096 APT41

(Citation: FireEye APT41 Aug 2019)

G0069 MuddyWater

(Citation: TrendMicro POWERSTATS V3 June 2019)

(Citation: FoxIT Wocao December 2019)

G0046 FIN7

(Citation: Mandiant FIN7 Apr 2022) (Citation: CrowdStrike Carbon Spider August 2021)

G0045 menuPass

(Citation: PWC Cloud Hopper Technical Annex April 2017)

G0065 Leviathan

(Citation: CISA AA21-200A APT40 July 2021)

G0116 Operation Wocao

(Citation: FoxIT Wocao December 2019)

G0092 TA505

(Citation: NCC Group TA505)

G0040 Patchwork

(Citation: Cymmetria Patchwork)

References

  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  2. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  3. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  4. Graeber, M. (2014, July 8). PowerSploit. Retrieved February 6, 2018.
  5. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  6. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  7. netbiosX. (2017, April 19). Stored Credentials. Retrieved April 6, 2018.
  8. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  9. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  10. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  11. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  12. Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
  13. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  14. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  15. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  16. Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved September 23, 2024.
  17. Schroeder, W. & Hart M. (2016, October 31). Invoke-Kerberoast. Retrieved March 23, 2018.
  18. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
  19. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.