Skip to content

S0184 POWRUNER

POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server. 1

Item Value
ID S0184
Associated Names
Type MALWARE
Version 1.1
Created 16 January 2018
Last Modified 06 July 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account POWRUNER may collect user account information by running net user /domain or a series of other commands on a victim.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols POWRUNER can use HTTP for C2 communications.12
enterprise T1071.004 DNS POWRUNER can use DNS for C2 communications.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell POWRUNER is written in PowerShell.1
enterprise T1059.003 Windows Command Shell POWRUNER can execute commands from its C2 server.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding POWRUNER can use base64 encoded C2 communications.1
enterprise T1083 File and Directory Discovery POWRUNER may enumerate user directories on a victim.1
enterprise T1105 Ingress Tool Transfer POWRUNER can download or upload files from its C2 server.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups POWRUNER may collect local group information by running net localgroup administrators or a series of other commands on a victim.1
enterprise T1069.002 Domain Groups POWRUNER may collect domain group information by running net group /domain or a series of other commands on a victim.1
enterprise T1057 Process Discovery POWRUNER may collect process information by running tasklist on a victim.1
enterprise T1012 Query Registry POWRUNER may query the Registry by running reg query on a victim.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task POWRUNER persists through a scheduled task that executes it every minute.1
enterprise T1113 Screen Capture POWRUNER can capture a screenshot from a victim.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery POWRUNER may collect information on the victim’s anti-virus software.1
enterprise T1082 System Information Discovery POWRUNER may collect information about the system by running hostname and systeminfo on a victim.1
enterprise T1016 System Network Configuration Discovery POWRUNER may collect network configuration data by running ipconfig /all on a victim.1
enterprise T1049 System Network Connections Discovery POWRUNER may collect active network connections by running netstat -an on a victim.1
enterprise T1033 System Owner/User Discovery POWRUNER may collect information about the currently logged in user by running whoami on a victim.1
enterprise T1047 Windows Management Instrumentation POWRUNER may use WMI when collecting information about a victim.1

Groups That Use This Software

ID Name References
G0049 OilRig 1

References