The sub-techniques beta is now live! Read the release blog post for more info.


POWERTON is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by APT33. At least two variants of the backdoor have been identified, with the later version containing improved functionality.[1]

ID: S0371
Platforms: Windows
Version: 1.0
Created: 16 April 2019
Last Modified: 22 April 2019

Techniques Used

Domain ID Name Use
Enterprise T1043 Commonly Used Port

POWERTON has used port 443 for C2 traffic. [1]

Enterprise T1003 Credential Dumping

POWERTON has the ability to dump password hashes.[1]

Enterprise T1086 PowerShell

POWERTON is written in PowerShell.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

POWERTON can install a Registry Run key for persistence.[1]

Enterprise T1071 Standard Application Layer Protocol

POWERTON has used HTTP/HTTPS for C2 traffic.[1]

Enterprise T1032 Standard Cryptographic Protocol

POWERTON has used AES for encrypting C2 traffic.[1]

Enterprise T1084 Windows Management Instrumentation Event Subscription

POWERTON can use WMI for persistence.[1]

Groups That Use This Software

ID Name References
G0064 APT33 [1]