Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

POWRUNER

POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server. [1]

ID: S0184
Aliases: POWRUNER
Type: MALWARE
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
POWRUNER[1]

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoveryPOWRUNER may collect user account information by running net user /domain or a series of other commands on a victim.[1]
EnterpriseT1059Command-Line InterfacePOWRUNER can execute commands from its C2 server.[1]
EnterpriseT1132Data EncodingPOWRUNER can use base64 encoded C2 communications.[1]
EnterpriseT1083File and Directory DiscoveryPOWRUNER may enumerate user directories on a victim.[1]
EnterpriseT1069Permission Groups DiscoveryPOWRUNER may collect permission group information by running net group /domain or a series of other commands on a victim.[1]
EnterpriseT1086PowerShellPOWRUNER is written in PowerShell.[1]
EnterpriseT1057Process DiscoveryPOWRUNER may collect process information by running tasklist on a victim.[1]
EnterpriseT1012Query RegistryPOWRUNER may query the Registry by running reg query on a victim.[1]
EnterpriseT1105Remote File CopyPOWRUNER can download or upload files from its C2 server.[1]
EnterpriseT1053Scheduled TaskPOWRUNER persists through a scheduled task that executes it every minute.[1]
EnterpriseT1113Screen CapturePOWRUNER can capture a screenshot from a victim.[1]
EnterpriseT1063Security Software DiscoveryPOWRUNER may collect information the victim's anti-virus software.[1]
EnterpriseT1071Standard Application Layer ProtocolPOWRUNER can use HTTP and DNS for C2 communications.[1][2]
EnterpriseT1082System Information DiscoveryPOWRUNER may collect information about the system by running hostname and systeminfo on a victim.[1]
EnterpriseT1016System Network Configuration DiscoveryPOWRUNER may collect network configuration data by running ipconfig /all on a victim.[1]
EnterpriseT1049System Network Connections DiscoveryPOWRUNER may collect active network connections by running netstat -an on a victim.[1]
EnterpriseT1033System Owner/User DiscoveryPOWRUNER may collect information about the currently logged in user by running whoami on a victim.[1]
EnterpriseT1047Windows Management InstrumentationPOWRUNER may use WMI when collecting information about a victim.[1]

Groups

Groups that use this software:

OilRig

References