Skip to content

S1012 PowerLess

PowerLess is a PowerShell-based modular backdoor that has been used by Magic Hound since at least 2022.1

Item Value
ID S1012
Associated Names
Version 1.1
Created 01 June 2022
Last Modified 28 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data PowerLess can encrypt browser database files prior to exfiltration.1
enterprise T1217 Browser Information Discovery PowerLess has a browser info stealer module that can read Chrome and Edge browser database files.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell PowerLess is written in and executed via PowerShell without using powershell.exe.1
enterprise T1005 Data from Local System PowerLess has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging PowerLess can stage stolen browser data in C:\\Windows\\Temp\\cup.tmp and keylogger data in C:\\Windows\\Temp\\Report.06E17A5A-7325-4325-8E5D-E172EBA7FC5BK.1
enterprise T1140 Deobfuscate/Decode Files or Information PowerLess can use base64 and AES ECB decryption prior to execution of downloaded modules.1
enterprise T1573 Encrypted Channel PowerLess can use an encrypted channel for C2 communications.1
enterprise T1105 Ingress Tool Transfer PowerLess can download additional payloads to a compromised host.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging PowerLess can use a module to log keystrokes.1

Groups That Use This Software

ID Name References
G0059 Magic Hound 1