{"description": "Enterprise techniques used by PowerShower, ATT&CK software S0441 (v1.0)", "name": "PowerShower (S0441)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "18", "navigator": "5.2.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[PowerShower](https://attack.mitre.org/software/S0441) has sent HTTP GET and POST requests to C2 servers to send information and receive instructions.(Citation: Unit 42 Inception November 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[PowerShower](https://attack.mitre.org/software/S0441) has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration.(Citation: Kaspersky Cloud Atlas August 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[PowerShower](https://attack.mitre.org/software/S0441) sets up persistence with a Registry run key.(Citation: Unit 42 Inception November 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[PowerShower](https://attack.mitre.org/software/S0441) is a backdoor written in PowerShell.(Citation: Unit 42 Inception November 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[PowerShower](https://attack.mitre.org/software/S0441) has the ability to save and execute VBScript.(Citation: Unit 42 Inception November 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[PowerShower](https://attack.mitre.org/software/S0441) has the ability to encode C2 communications with base64 encoding.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas August 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[PowerShower](https://attack.mitre.org/software/S0441) has used a PowerShell document stealer module to pack and exfiltrate .txt, .pdf, .xls or .doc files smaller than 5MB that were modified during the past two days.(Citation: Kaspersky Cloud Atlas August 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[PowerShower](https://attack.mitre.org/software/S0441) has added a registry key so future powershell.exe instances are spawned with coordinates for a window position off-screen by default.(Citation: Unit 42 Inception November 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[PowerShower](https://attack.mitre.org/software/S0441) has the ability to remove all files created during the dropper process.(Citation: Unit 42 Inception November 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[PowerShower](https://attack.mitre.org/software/S0441) has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process.(Citation: Unit 42 Inception November 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[PowerShower](https://attack.mitre.org/software/S0441) has the ability to deploy a reconnaissance module to retrieve a list of the active processes.(Citation: Kaspersky Cloud Atlas August 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[PowerShower](https://attack.mitre.org/software/S0441) has collected system information on the infected host.(Citation: Unit 42 Inception November 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[PowerShower](https://attack.mitre.org/software/S0441) has the ability to identify the current Windows domain of the infected host.(Citation: Kaspersky Cloud Atlas August 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[PowerShower](https://attack.mitre.org/software/S0441) has the ability to identify the current user on the infected host.(Citation: Kaspersky Cloud Atlas August 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by PowerShower", "color": "#66b1ff"}]}