POWRUNER
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
POWRUNER may use WMI when collecting information about a victim.[1] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell | |
| .003 | 命令与脚本解释器: Windows Command Shell | |||
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| .004 | 应用层协议: DNS | |||
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding | |
| Enterprise | T1083 | 文件和目录发现 | ||
| Enterprise | T1069 | .001 | 权限组发现: Local Groups |
POWRUNER may collect local group information by running |
| .002 | 权限组发现: Domain Groups |
POWRUNER may collect domain group information by running |
||
| Enterprise | T1012 | 查询注册表 |
POWRUNER may query the Registry by running |
|
| Enterprise | T1082 | 系统信息发现 |
POWRUNER may collect information about the system by running |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
POWRUNER may collect information about the currently logged in user by running |
|
| Enterprise | T1049 | 系统网络连接发现 |
POWRUNER may collect active network connections by running |
|
| Enterprise | T1016 | 系统网络配置发现 |
POWRUNER may collect network configuration data by running |
|
| Enterprise | T1087 | .002 | 账号发现: Domain Account |
POWRUNER may collect user account information by running |
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
POWRUNER may collect information on the victim's anti-virus software.[1] |
| Enterprise | T1105 | 输入工具传输 |
POWRUNER can download or upload files from its C2 server.[1] |
|
| Enterprise | T1057 | 进程发现 |
POWRUNER may collect process information by running |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
POWRUNER persists through a scheduled task that executes it every minute.[1] |