{"description": "Enterprise techniques used by PowerSploit, ATT&CK software S0194 (v1.6)", "name": "PowerSploit (S0194)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194)'s Invoke-TokenManipulation Exfiltration module can be used to manipulate tokens.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194)'s Get-ProcessTokenGroup Privesc-PowerUp module can enumerate all SIDs associated with its current token.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1123", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194)'s Get-MicrophoneAudio Exfiltration module can record system microphone audio.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194)'s New-UserPersistenceOption Persistence argument can be used to establish via the HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run Registry key.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.005", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194)'s Install-SSP Persistence module can be used to establish by installing a SSP DLL.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194) modules are written in and executed via [PowerShell](https://attack.mitre.org/techniques/T1086).(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.004", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of Exfiltration modules that can harvest credentials from Windows vault credential objects.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of Exfiltration modules that can access data from local files, volumes, and processes.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1482", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194) has modules such as Get-NetDomainTrust and Get-NetForestTrust to enumerate domain and forest trusts.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.007", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of Privesc-PowerUp modules that can discover and exploit path interception opportunities in the PATH environment variable.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.008", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of Privesc-PowerUp modules that can discover and exploit search order hijacking vulnerabilities.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.009", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of Privesc-PowerUp modules that can discover and exploit unquoted path vulnerabilities.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194)'s Get-Keystrokes Exfiltration module can log keystrokes.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.005", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194)'s Find-AVSignature AntivirusBypass module can be used to locate single byte anti-virus signatures.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of ScriptModification modules that compress and encode scripts and payloads.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of Exfiltration modules that can harvest credentials using [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194)'s Get-ProcessTokenPrivilege Privesc-PowerUp module can enumerate privileges for a given process.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of CodeExecution modules that inject code (DLL, shellcode) into a process.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opportunities.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1620", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194) reflectively loads a Windows PE file into a process.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194)'s New-UserPersistenceOption Persistence argument can be used to establish via a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053).(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194)'s Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1558", "showSubtechniques": true}, {"techniqueID": "T1558.003", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194)'s Invoke-Kerberoast module can request service tickets and return crackable ticket hashes.(Citation: PowerSploit Invoke Kerberoast)(Citation: Harmj0y Kerberoast Nov 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.002", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194) has several modules that search the Windows Registry for stored credentials: Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, Get-CachedGPPPassword, and Get-RegistryAutoLogon.(Citation: Pentestlab Stored Credentials)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.006", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[PowerSploit](https://attack.mitre.org/software/S0194)'s Invoke-WmiCommand CodeExecution module uses WMI to execute and retrieve the output from a [PowerShell](https://attack.mitre.org/techniques/T1086) payload.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by PowerSploit", "color": "#66b1ff"}]}