S0371 POWERTON
POWERTON is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by APT33. At least two variants of the backdoor have been identified, with the later version containing improved functionality.1
| Item | Value |
|---|---|
| ID | S0371 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 16 April 2019 |
| Last Modified | 25 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | POWERTON has used HTTP/HTTPS for C2 traffic.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | POWERTON can install a Registry Run key for persistence.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | POWERTON is written in PowerShell.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | POWERTON has used AES for encrypting C2 traffic.1 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.003 | Windows Management Instrumentation Event Subscription | POWERTON can use WMI for persistence.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.002 | Security Account Manager | POWERTON has the ability to dump password hashes.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0064 | APT33 | 12 |
References
-
Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. ↩↩↩↩↩↩↩↩
-
Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020. ↩