Register to stream ATT&CKcon 2.0 October 29-30


POWERTON is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by APT33. At least two variants of the backdoor have been identified, with the later version containing improved functionality.[1]

ID: S0371
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1043 Commonly Used Port POWERTON has used port 443 for C2 traffic. [1]
Enterprise T1003 Credential Dumping POWERTON has the ability to dump password hashes. [1]
Enterprise T1086 PowerShell POWERTON is written in PowerShell. [1]
Enterprise T1060 Registry Run Keys / Startup Folder POWERTON can install a Registry Run key for persistence. [1]
Enterprise T1071 Standard Application Layer Protocol POWERTON has used HTTP/HTTPS for C2 traffic. [1]
Enterprise T1032 Standard Cryptographic Protocol POWERTON has used AES for encrypting C2 traffic. [1]
Enterprise T1084 Windows Management Instrumentation Event Subscription POWERTON can use WMI for persistence. [1]

Groups That Use This Software

ID Name References
G0064 APT33 [1]