(FireEye) POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server.
TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
IP:Port | Timestamp |
---|
Domain | Timestamp |
---|
URL | Timestamp |
---|
2019-08-22 by Cyware from Cyware
2018-04-20 by Jay Novak from Booz Allen Hamilton
Tool: POWRUNER
Names: POWRUNER
Description: (FireEye) POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server.
Category: Malware
Type: Backdoor
Information: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
Information: https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html
Mitre-attack: https://attack.mitre.org/software/S0184/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powruner
Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:powruner
Last-card-change: 2020-05-13
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL powruner can execute commands from its c2 server. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK powruner persists through a scheduled task that executes it every minute. T1047 WINDOWS MANAGEMENT INSTRUMENTATION powruner may use wmi when collecting information about a victim. | T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK powruner persists through a scheduled task that executes it every minute. | T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK powruner persists through a scheduled task that executes it every minute. | T1087.002 ACCOUNT DISCOVERY : DOMAIN ACCOUNT powruner may collect user account information by running net user /domain or a series of other commands on a victim. T1069.001 PERMISSION GROUPS DISCOVERY : LOCAL GROUPS powruner may collect local group information by running net localgroup administrators or a series of other commands on a victim. T1069.002 PERMISSION GROUPS DISCOVERY : DOMAIN GROUPS powruner may collect domain group information by running net group /domain or a series of other commands on a victim. T1518.001 SOFTWARE DISCOVERY : SECURITY SOFTWARE DISCOVERY powruner may collect information on the victim's anti-virus software. T1082 SYSTEM INFORMATION DISCOVERY powruner may collect information about the system by running hostname and systeminfo on a victim. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY powruner may collect network configuration data by running ipconfig /all on a victim. T1049 SYSTEM NETWORK CONNECTIONS DISCOVERY powruner may collect active network connections by running netstat -an on a victim. T1033 SYSTEM OWNER/USER DISCOVERY powruner may collect information about the currently logged in user by running whoami on a victim. |