PowerSploit

The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.

Often deployed via spear phishing, they are lightweight, have particular capabilities and are designed to facilitate system identification and lateral movement.

The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'

Windows operating systems provide a utility (schtasks.exe) which enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism.

References https://attack.mitre.org/techniques/T1053/ ... The persistence technique of scheduled tasks can be implemented both manually and automatically.

Alternatively PowerShell can be used to create schedule tasks that will executed either at logon of a user or at a specific time and date.

Tested variants: Original compiled into PowerShell (Invoke-Mimikatz) (Detected) PowerSploit – Invoke-Mimikatz (Detected)

This malicious DLL needs to be dropped in one of the folders that windows are loading DLL files. As it can be see below when the service restarted a Meterpreter session opened with SYSTEM privileges through DLL hijacking.

If these DLL’s doesn’t exist or are implemented in an insecure way (DLL’s are called without using a fully qualified path) then it is possible to escalate privileges by forcing the application to load and execute a malicious DLL file.

Windows operating systems provide a utility (schtasks.exe) which enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism.

References https://attack.mitre.org/techniques/T1053/ ... The persistence technique of scheduled tasks can be implemented both manually and automatically.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts... Cobalt Group ... set a Startup path to launch the PowerShell shell command and download Cobalt Strike. DownPaper uses PowerShell to add a Registry Run key in order to establish persistence. | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

Windows operating systems provide a utility (schtasks.exe) which enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism.

References https://attack.mitre.org/techniques/T1053/ ... The persistence technique of scheduled tasks can be implemented both manually and automatically.

Memory Manipulation • Reflection.Assembly • VirtualAlloc • WriteProcessMemory • CreateThread Why it matters: They are used in reflective PE injection, shellcode execution, etc. (common in frameworks like PowerSploit)

Turla has also used PowerSploit's Invoke-ReflectivePEInjection.ps1 to reflectively load a PowerShell payload into a random process on the victim system.

APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts... Cobalt Group ... set a Startup path to launch the PowerShell shell command and download Cobalt Strike. DownPaper uses PowerShell to add a Registry Run key in order to establish persistence. | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

In Windows environments when an application or a service is starting it looks for a number of DLL’s in order to function properly... then it is possible to escalate privileges by forcing the application to load and execute a malicious DLL file.

The code is heavily obfuscated, via the use of position-independence alongside other techniques.

Memory Manipulation • Reflection.Assembly • VirtualAlloc • WriteProcessMemory • CreateThread Why it matters: They are used in reflective PE injection, shellcode execution, etc. (common in frameworks like PowerSploit)

Turla has also used PowerSploit's Invoke-ReflectivePEInjection.ps1 to reflectively load a PowerShell payload into a random process on the victim system.

One of most significant recent developments in sophisticated offensive operations is the use of “Living off the Land” (LotL) techniques by attackers. These techniques leverage legitimate tools present on the system, such as the PowerShell scripting language, in order to execute attacks.

This malicious DLL needs to be dropped in one of the folders that windows are loading DLL files. As it can be see below when the service restarted a Meterpreter session opened with SYSTEM privileges through DLL hijacking.

If these DLL’s doesn’t exist or are implemented in an insecure way (DLL’s are called without using a fully qualified path) then it is possible to escalate privileges by forcing the application to load and execute a malicious DLL file.

Memory Manipulation • Reflection.Assembly... Why it matters: They are used in reflective PE injection, shellcode execution, etc. (common in frameworks like PowerSploit)

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

This issue with this is that frequently the password is stored in clear-text within the script (such as a vbs file) which is often in SYSVOL.

The Kerberoasting technique can be used to target and crack weak passwords of service accounts... the PowerSploit framework’s Invoke-Kerberoast utility is being used.

The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.

Download a file from a specified URL, and save it under a specified filename;