Skip to content

S0441 PowerShower

PowerShower is a PowerShell backdoor used by Inception for initial reconnaissance and to download and execute second stage payloads.12

Item Value
ID S0441
Associated Names
Type MALWARE
Version 1.0
Created 08 May 2020
Last Modified 20 May 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols PowerShower has sent HTTP GET and POST requests to C2 servers to send information and receive instructions.1
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility PowerShower has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder PowerShower sets up persistence with a Registry run key.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell PowerShower is a backdoor written in PowerShell.1
enterprise T1059.005 Visual Basic PowerShower has the ability to save and execute VBScript.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding PowerShower has the ability to encode C2 communications with base64 encoding.12
enterprise T1041 Exfiltration Over C2 Channel PowerShower has used a PowerShell document stealer module to pack and exfiltrate .txt, .pdf, .xls or .doc files smaller than 5MB that were modified during the past two days.2
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window PowerShower has added a registry key so future powershell.exe instances are spawned with coordinates for a window position off-screen by default.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion PowerShower has the ability to remove all files created during the dropper process.1
enterprise T1112 Modify Registry PowerShower has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process.1
enterprise T1057 Process Discovery PowerShower has the ability to deploy a reconnaissance module to retrieve a list of the active processes.2
enterprise T1082 System Information Discovery PowerShower has collected system information on the infected host.1
enterprise T1016 System Network Configuration Discovery PowerShower has the ability to identify the current Windows domain of the infected host.2
enterprise T1033 System Owner/User Discovery PowerShower has the ability to identify the current user on the infected host.2

Groups That Use This Software

ID Name References
G0100 Inception 1

References