Skip to content


POWERTON is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by APT33. At least two variants of the backdoor have been identified, with the later version containing improved functionality.1

Item Value
ID S0371
Associated Names
Version 1.1
Created 16 April 2019
Last Modified 25 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols POWERTON has used HTTP/HTTPS for C2 traffic.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder POWERTON can install a Registry Run key for persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell POWERTON is written in PowerShell.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography POWERTON has used AES for encrypting C2 traffic.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription POWERTON can use WMI for persistence.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager POWERTON has the ability to dump password hashes.1

Groups That Use This Software

ID Name References
G0064 APT33 12