### Persistence Functions in PowerSploit Source: https://powersploit.readthedocs.io These functions add persistence capabilities to PowerShell scripts. They include configuring persistence options and installing security support providers. ```powershell New-UserPersistenceOption - Configure user-level persistence options for the Add-Persistence function. New-ElevatedPersistenceOption - Configure elevated persistence options for the Add-Persistence function. Add-Persistence - Add persistence capabilities to a script. Install-SSP - Installs a security support provider (SSP) dll. Get-SecurityPackage - Enumerates all loaded security packages (SSPs). ``` -------------------------------- ### Privilege Escalation Functions in PowerSploit Source: https://powersploit.readthedocs.io Tools to aid in escalating privileges on a target system, including common privilege escalation checks and GetSystem functionality. ```powershell PowerUp - Clearing house of common privilege escalation checks, along with some weaponization vectors. Get-System - GetSystem functionality inspired by Meterpreter's getsystem ``` -------------------------------- ### Exfiltration Functions in PowerSploit Source: https://powersploit.readthedocs.io A collection of functions for data exfiltration, including token manipulation, credential injection, file copying, Mimikatz execution, keylogging, and retrieving group policy information. ```powershell Invoke-TokenManipulation - Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread. Invoke-CredentialInjection - Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). Invoke-NinjaCopy - Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. Invoke-Mimikatz - Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz. Get-Keystrokes - Logs keys pressed, time and the active window. Get-GPPPassword - Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. Get-GPPAutologon - Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences. Get-TimedScreenshot - A function that takes screenshots at a regular interval and saves them to a folder. New-VolumeShadowCopy - Creates a new volume shadow copy. Get-VolumeShadowCopy - Lists the device paths of all local volume shadow copies. Mount-VolumeShadowCopy - Mounts a volume shadow copy. Remove-VolumeShadowCopy - Deletes a volume shadow copy. Get-VaultCredential - Displays Windows vault credential objects including cleartext web credentials. Out-Minidump - Generates a full-memory minidump of a process. Get-MicrophoneAudio - Records audio from system microphone and saves to disk. ``` -------------------------------- ### Unblock Downloaded Scripts in PowerSploit Module Path Source: https://powersploit.readthedocs.io This one-liner helps remove the 'Do you really want to run scripts downloaded from the Internet' warning for scripts within the PowerSploit module path. It iterates through the PSModulePath, checks for the PowerSploit directory, and unblocks files recursively. ```powershell $Env:PSModulePath.Split(';') | % { if ( Test-Path (Join-Path $_ PowerSploit) ) {Get-ChildItem $_ -Recurse | Unblock-File} } ``` -------------------------------- ### Reconnaissance Functions in PowerSploit Source: https://powersploit.readthedocs.io Tools to assist in the reconnaissance phase of a penetration test, including port scanning, HTTP status checking, reverse DNS lookups, and network/domain enumeration. ```powershell Invoke-Portscan - Does a simple port scan using regular sockets, based (pretty) loosely on nmap. Get-HttpStatus - Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file. Invoke-ReverseDnsLookup - Scans an IP address range for DNS PTR records. PowerView - PowerView is series of functions that performs network and Windows domain enumeration and exploitation. ``` -------------------------------- ### Code Execution Functions in PowerSploit Source: https://powersploit.readthedocs.io These functions are used to execute code on target machines. They include DLL injection, reflective PE loading, shellcode injection, and WMI command execution. ```powershell Invoke-DllInjection - Injects a Dll into the process ID of your choosing. Invoke-ReflectivePEInjection - Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. Invoke-Shellcode - Injects shellcode into the process ID of your choosing or within PowerShell locally. Invoke-WmiCommand - Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel ``` -------------------------------- ### Mayhem Functions in PowerSploit Source: https://powersploit.readthedocs.io Functions to cause general mayhem on a system, including overwriting the Master Boot Record and causing a blue screen upon exiting PowerShell. ```powershell Set-MasterBootRecord - Proof of concept code that overwrites the master boot record with the message of your choice. Set-CriticalProcess - Causes your machine to blue screen upon exiting PowerShell. ``` -------------------------------- ### Antivirus Bypass Function in PowerSploit Source: https://powersploit.readthedocs.io This function is designed to bypass antivirus software by locating single-byte AV signatures. ```powershell Find-AVSignature - Locates single Byte AV signatures utilizing the same method as DSplit from "class101". ``` -------------------------------- ### Script Modification Functions in PowerSploit Source: https://powersploit.readthedocs.io These functions help modify and prepare scripts for execution on compromised machines. They cover encoding, compression, encryption, and comment removal. ```powershell Out-EncodedCommand - Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. Out-CompressedDll - Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. Out-EncryptedScript - Encrypts text files/scripts. Remove-Comment - Strips comments and extra whitespace from a script. ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.