S0184 POWRUNER
POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server. 1
| Item | Value |
|---|---|
| ID | S0184 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 16 January 2018 |
| Last Modified | 06 July 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.002 | Domain Account | POWRUNER may collect user account information by running net user /domain or a series of other commands on a victim.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | POWRUNER can use HTTP for C2 communications.12 |
| enterprise | T1071.004 | DNS | POWRUNER can use DNS for C2 communications.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | POWRUNER is written in PowerShell.1 |
| enterprise | T1059.003 | Windows Command Shell | POWRUNER can execute commands from its C2 server.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | POWRUNER can use base64 encoded C2 communications.1 |
| enterprise | T1083 | File and Directory Discovery | POWRUNER may enumerate user directories on a victim.1 |
| enterprise | T1105 | Ingress Tool Transfer | POWRUNER can download or upload files from its C2 server.1 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.001 | Local Groups | POWRUNER may collect local group information by running net localgroup administrators or a series of other commands on a victim.1 |
| enterprise | T1069.002 | Domain Groups | POWRUNER may collect domain group information by running net group /domain or a series of other commands on a victim.1 |
| enterprise | T1057 | Process Discovery | POWRUNER may collect process information by running tasklist on a victim.1 |
| enterprise | T1012 | Query Registry | POWRUNER may query the Registry by running reg query on a victim.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | POWRUNER persists through a scheduled task that executes it every minute.1 |
| enterprise | T1113 | Screen Capture | POWRUNER can capture a screenshot from a victim.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | POWRUNER may collect information on the victim’s anti-virus software.1 |
| enterprise | T1082 | System Information Discovery | POWRUNER may collect information about the system by running hostname and systeminfo on a victim.1 |
| enterprise | T1016 | System Network Configuration Discovery | POWRUNER may collect network configuration data by running ipconfig /all on a victim.1 |
| enterprise | T1049 | System Network Connections Discovery | POWRUNER may collect active network connections by running netstat -an on a victim.1 |
| enterprise | T1033 | System Owner/User Discovery | POWRUNER may collect information about the currently logged in user by running whoami on a victim.1 |
| enterprise | T1047 | Windows Management Instrumentation | POWRUNER may use WMI when collecting information about a victim.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0049 | OilRig | 1 |
References
-
Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. ↩↩