POWERTON is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by APT33. At least two variants of the backdoor have been identified, with the later version containing improved functionality.[1]

ID: S0371
Platforms: Windows
Version: 1.1
Created: 16 April 2019
Last Modified: 25 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

POWERTON has used HTTP/HTTPS for C2 traffic.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

POWERTON can install a Registry Run key for persistence.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

POWERTON is written in PowerShell.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

POWERTON has used AES for encrypting C2 traffic.[1]

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

POWERTON can use WMI for persistence.[1]

Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

POWERTON has the ability to dump password hashes.[1]

Groups That Use This Software

ID Name References
G0064 APT33