{
	"id": "f3ca12b8-d3e0-4407-b00b-c0d9cd6fcb61",
	"created_at": "2026-04-06T00:18:58.972381Z",
	"updated_at": "2026-04-10T03:21:33.214854Z",
	"deleted_at": null,
	"sha1_hash": "32fcfa52d63e36a07607a88a46b4fa70ac090bda",
	"title": "GitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation Framework",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 82062,
	"plain_text": "GitHub - PowerShellMafia/PowerSploit: PowerSploit - A\r\nPowerShell Post-Exploitation Framework\r\nBy HarmJ0y\r\nArchived: 2026-04-05 17:47:59 UTC\r\nThis project is no longer supported\r\nPowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration\r\ntesters during all phases of an assessment. PowerSploit is comprised of the following modules and\r\nscripts:\r\nCodeExecution\r\nExecute code on a target machine.\r\nInvoke-DllInjection\r\nInjects a Dll into the process ID of your choosing.\r\nInvoke-ReflectivePEInjection\r\nReflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to\r\na remote process.\r\nInvoke-Shellcode\r\nInjects shellcode into the process ID of your choosing or within PowerShell locally.\r\nInvoke-WmiCommand\r\nExecutes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2\r\nchannel.\r\nScriptModification\r\nModify and/or prepare scripts for execution on a compromised machine.\r\nOut-EncodedCommand\r\nCompresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.\r\nhttps://github.com/PowerShellMafia/PowerSploit\r\nPage 1 of 7\n\nOut-CompressedDll\r\nCompresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.\r\nOut-EncryptedScript\r\nEncrypts text files/scripts.\r\nRemove-Comment\r\nStrips comments and extra whitespace from a script.\r\nPersistence\r\nAdd persistence capabilities to a PowerShell script\r\nNew-UserPersistenceOption\r\nConfigure user-level persistence options for the Add-Persistence function.\r\nNew-ElevatedPersistenceOption\r\nConfigure elevated persistence options for the Add-Persistence function.\r\nAdd-Persistence\r\nAdd persistence capabilities to a script.\r\nInstall-SSP\r\nInstalls a security support provider (SSP) dll.\r\nGet-SecurityPackages\r\nEnumerates all loaded security packages (SSPs).\r\nAntivirusBypass\r\nAV doesn't stand a chance against PowerShell!\r\nFind-AVSignature\r\nLocates single Byte AV signatures utilizing the same method as DSplit from \"class101\".\r\nExfiltration\r\nhttps://github.com/PowerShellMafia/PowerSploit\r\nPage 2 of 7\n\nAll your data belong to me!\r\nInvoke-TokenManipulation\r\nLists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in\r\nthe current thread.\r\nInvoke-CredentialInjection\r\nCreate logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential\r\nLogon).\r\nInvoke-NinjaCopy\r\nCopies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.\r\nInvoke-Mimikatz\r\nReflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing\r\nanything to disk. Can be used for any functionality provided with Mimikatz.\r\nGet-Keystrokes\r\nLogs keys pressed, time and the active window.\r\nGet-GPPPassword\r\nRetrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.\r\nGet-GPPAutologon\r\nRetrieves autologon username and password from registry.xml if pushed through Group Policy Preferences.\r\nGet-TimedScreenshot\r\nA function that takes screenshots at a regular interval and saves them to a folder.\r\nNew-VolumeShadowCopy\r\nCreates a new volume shadow copy.\r\nGet-VolumeShadowCopy\r\nLists the device paths of all local volume shadow copies.\r\nMount-VolumeShadowCopy\r\nhttps://github.com/PowerShellMafia/PowerSploit\r\nPage 3 of 7\n\nMounts a volume shadow copy.\r\nRemove-VolumeShadowCopy\r\nDeletes a volume shadow copy.\r\nGet-VaultCredential\r\nDisplays Windows vault credential objects including cleartext web credentials.\r\nOut-Minidump\r\nGenerates a full-memory minidump of a process.\r\nGet-MicrophoneAudio\r\nRecords audio from system microphone and saves to disk\r\nMayhem\r\nCause general mayhem with PowerShell.\r\nSet-MasterBootRecord\r\nProof of concept code that overwrites the master boot record with the message of your choice.\r\nSet-CriticalProcess\r\nCauses your machine to blue screen upon exiting PowerShell.\r\nPrivesc\r\nTools to help with escalating privileges on a target.\r\nPowerUp\r\nClearing house of common privilege escalation checks, along with some weaponization vectors.\r\nRecon\r\nTools to aid in the reconnaissance phase of a penetration test.\r\nInvoke-Portscan\r\nDoes a simple port scan using regular sockets, based (pretty) loosely on nmap.\r\nhttps://github.com/PowerShellMafia/PowerSploit\r\nPage 4 of 7\n\nGet-HttpStatus\r\nReturns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.\r\nInvoke-ReverseDnsLookup\r\nScans an IP address range for DNS PTR records.\r\nPowerView\r\nPowerView is series of functions that performs network and Windows domain enumeration and exploitation.\r\nRecon\\Dictionaries\r\nA collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were\r\ntaken from the following sources.\r\nadmin.txt - http://cirt.net/nikto2/\r\ngeneric.txt - http://sourceforge.net/projects/yokoso/files/yokoso-0.1/\r\nsharepoint.txt - http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/\r\nLicense\r\nThe PowerSploit project and all individual scripts are under the BSD 3-Clause license unless explicitly noted\r\notherwise.\r\nUsage\r\nRefer to the comment-based help in each individual script for detailed usage information.\r\nTo install this module, drop the entire PowerSploit folder into one of your module directories. The default\r\nPowerShell module paths are listed in the $Env:PSModulePath environment variable.\r\nThe default per-user module path is:\r\n\"$Env:HomeDrive$Env:HOMEPATH\\Documents\\WindowsPowerShell\\Modules\" The default computer-level\r\nmodule path is: \"$Env:windir\\System32\\WindowsPowerShell\\v1.0\\Modules\"\r\nTo use the module, type Import-Module PowerSploit\r\nTo see the commands imported, type Get-Command -Module PowerSploit\r\nIf you're running PowerShell v3 and you want to remove the annoying 'Do you really want to run scripts\r\ndownloaded from the Internet' warning, once you've placed PowerSploit into your module path, run the following\r\none-liner: $Env:PSModulePath.Split(';') | % { if ( Test-Path (Join-Path $_ PowerSploit) ) {Get-ChildItem $_ -Recurse | Unblock-File} }\r\nFor help on each individual command, Get-Help is your friend.\r\nhttps://github.com/PowerShellMafia/PowerSploit\r\nPage 5 of 7\n\nNote: The tools contained within this module were all designed such that they can be run individually. Including\r\nthem in a module simply lends itself to increased portability.\r\nContribution Rules\r\nWe need contributions! If you have a great idea for PowerSploit, we'd love to add it. New additions will require\r\nthe following:\r\nThe script must adhere to the style guide. Any exceptions to the guide line would need an explicit, valid\r\nreason.\r\nThe module manifest needs to be updated to reflect the new function being added.\r\nA brief description of the function should be added to this README.md\r\nPester tests must accompany all new functions. See the Tests folder for examples but we are looking for\r\ntests that at least cover the basics by testing for expected/unexpected input/output and that the function\r\nexhibits desired functionality. Make sure the function is passing all tests (preferably in mutiple OSes) prior\r\nto submitting a pull request. Thanks!\r\nScript Style Guide\r\nFor all contributors and future contributors to PowerSploit, I ask that you follow this style guide when\r\nwriting your scripts/modules.\r\nAvoid Write-Host at all costs. PowerShell functions/cmdlets are not command-line utilities! Pull requests\r\ncontaining code that uses Write-Host will not be considered. You should output custom objects instead. For\r\nmore information on creating custom objects, read these articles:\r\nhttp://blogs.technet.com/b/heyscriptingguy/archive/2011/05/19/create-custom-objects-in-your-powershell-script.aspx\r\nhttp://technet.microsoft.com/en-us/library/ff730946.aspx\r\nIf you want to display relevant debugging information to the screen, use Write-Verbose. The user can\r\nalways just tack on '-Verbose'.\r\nAlways provide descriptive, comment-based help for every script. Also, be sure to include your name and a\r\nBSD 3-Clause license (unless there are extenuating circumstances that prevent the application of the BSD\r\nlicense).\r\nMake sure all functions follow the proper PowerShell verb-noun agreement. Use Get-Verb to list the\r\ndefault verbs used by PowerShell. Exceptions to supported verbs will be considered on a case-by-case\r\nbasis.\r\nI prefer that variable names be capitalized and be as descriptive as possible.\r\nProvide logical spacing in between your code. Indent your code to make it more readable.\r\nIf you find yourself repeating code, write a function.\r\nhttps://github.com/PowerShellMafia/PowerSploit\r\nPage 6 of 7\n\nCatch all anticipated errors and provide meaningful output. If you have an error that should stop execution\r\nof the script, use 'Throw'. If you have an error that doesn't need to stop execution, use Write-Error.\r\nIf you are writing a script that interfaces with the Win32 API, try to avoid compiling C# inline with Add-Type. Try to use the PSReflect module, if possible.\r\nDo not use hardcoded paths. A script should be useable right out of the box. No one should have to modify\r\nthe code unless they want to.\r\nPowerShell v2 compatibility is highly desired.\r\nUse positional parameters and make parameters mandatory when it makes sense to do so. For example, I'm\r\nlooking for something like the following:\r\n[Parameter(Position = 0, Mandatory = $True)]\r\nDon't use any aliases unless it makes sense for receiving pipeline input. They make code more difficult to\r\nread for people who are unfamiliar with a particular alias.\r\nTry not to let commands run on for too long. For example, a pipeline is a natural place for a line break.\r\nDon't go overboard with inline comments. Only use them when certain aspects of the code might be\r\nconfusing to a reader.\r\nRather than using Out-Null to suppress unwanted/irrelevant output, save the unwanted output to $null.\r\nDoing so provides a slight performance enhancement.\r\nUse default values for your parameters when it makes sense. Ideally, you want a script that will work\r\nwithout requiring any parameters.\r\nIf a script creates complex custom objects, include a ps1xml file that will properly format the object's\r\noutput.\r\nSource: https://github.com/PowerShellMafia/PowerSploit\r\nhttps://github.com/PowerShellMafia/PowerSploit\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://github.com/PowerShellMafia/PowerSploit"
	],
	"report_names": [
		"PowerSploit"
	],
	"threat_actors": [],
	"ts_created_at": 1775434738,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/32fcfa52d63e36a07607a88a46b4fa70ac090bda.pdf",
		"text": "https://archive.orkl.eu/32fcfa52d63e36a07607a88a46b4fa70ac090bda.txt",
		"img": "https://archive.orkl.eu/32fcfa52d63e36a07607a88a46b4fa70ac090bda.jpg"
	}
}