S0139: PowerDuke
Analyst context for executives and security teams
PowerDuke matters because it represents a Windows backdoor associated in ATT&CK with macro-delivered Word or Excel attachments and follow-on host discovery, stealth, persistence, command execution, and file transfer behaviors. For leaders, the practical question is not whether this specific 2016 malware is present today, but whether the organization can reliably prevent, observe, and investigate the pattern: a user opens a malicious Office attachment, code executes on a Windows endpoint, the host is profiled, persistence is established, and additional tooling or commands may follow.
Executive priority
Prioritize this as a control-validation and readiness use case for phishing resilience, Office macro governance, Windows endpoint telemetry, and incident response evidence quality. The ATT&CK object has no official detection guidance, so assurance should come from proving that email controls, endpoint logging, persistence monitoring, and recovery controls can support timely decisions if a macro-delivered backdoor is suspected.
Technical view
Validate coverage on Windows endpoints for the behaviors linked to PowerDuke: Office-originated execution, Windows Command Shell activity, rundll32 proxy execution, Registry Run Key or Startup Folder persistence, discovery of users/processes/windows/files/network configuration/system time/system information, ingress tool transfer, file deletion, NTFS attribute abuse, and possible data destruction activity. Because MITRE does not provide a detection section for this malware, detection engineering should map alerts and hunts to the related techniques rather than rely on a PowerDuke-specific signature alone.
Likely telemetry
- Email gateway and attachment metadata for Microsoft Word or Excel files, especially macro-enabled documents
- Office process creation and child-process telemetry on Windows endpoints
- Command-line telemetry for cmd.exe and rundll32.exe execution
- Windows registry monitoring for Run Key changes and Startup Folder writes
- File creation, deletion, directory enumeration, and NTFS attribute or alternate data stream evidence where available
Detection direction
- Start with behavior chains: Office document opened followed by scripting, cmd.exe, rundll32.exe, discovery commands, persistence writes, or unusual file transfer activity.
- Tune rundll32 and command-shell analytics against local administrative and software-management baselines to reduce false positives without allowlisting away abuse paths.
- Hunt for clustered discovery activity on a single Windows host, especially user, process, file, network configuration, and system information enumeration occurring near suspicious Office execution.
- Validate that Registry Run Key and Startup Folder monitoring includes user-context persistence, not only administrator-level changes.
- Assess whether file deletion and NTFS attribute monitoring is sufficient for incident reconstruction, since stealth-related techniques may remove or hide artifacts.
Mitigation priorities
- Reduce macro-delivered malware risk through Office macro policy, attachment handling, and user-facing phishing controls appropriate to business workflows.
- Ensure managed detection or SOC coverage can correlate email, endpoint process, registry, file, and network evidence for Windows hosts.
- Harden and monitor common proxy-execution and shell paths such as rundll32.exe and cmd.exe without relying solely on blocklists.
- Implement persistence-control reviews for Run Keys and Startup Folders, including user-profile locations.
- Maintain tested backup and recovery processes to support resilience where destructive behavior is a concern.
Analyst notes and limits
The supplied ATT&CK record identifies PowerDuke as a Windows backdoor used by APT29 in 2016 and primarily delivered through malicious Microsoft Word or Excel macros. The decision value is in validating defenses against the associated behavior set: macro initial access pattern, Windows execution, discovery, stealth, persistence, file transfer, and destructive-risk indicators.
MITRE provides no official detection text, no explicit tactics on the malware object, and no aliases or labels in the supplied fields. The external reporting reference is from 2016. Relationship descriptions describe ATT&CK techniques generally and should be validated against local telemetry before being treated as PowerDuke-specific detection logic.
PowerDuke
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | PowerDuke has a command to get the victim's domain and NetBIOS name.CitationVolexity PowerDuke November 2016 |
| Enterprise | T1027.003 | Steganography Sub-technique | PowerDuke uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA).CitationVolexity PowerDuke November 2016 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | PowerDuke uses rundll32.exe to load.CitationVolexity PowerDuke November 2016 |
| Enterprise | T1082 | System Information Discovery | PowerDuke has commands to get information about the victim's name, build, version, serial number, and memory usage.CitationVolexity PowerDuke November 2016 |
| Enterprise | T1083 | File and Directory Discovery | PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.CitationVolexity PowerDuke November 2016 |
| Enterprise | T1010 | Application Window Discovery | PowerDuke has a command to get text of the current foreground window.CitationVolexity PowerDuke November 2016 |
| Enterprise | T1485 | Data Destruction | PowerDuke has a command to write random data across a file and delete it.CitationVolexity PowerDuke November 2016 |
| Enterprise | T1033 | System Owner/User Discovery | PowerDuke has commands to get the current user's name and SID.CitationVolexity PowerDuke November 2016 |
| Enterprise | T1057 | Process Discovery | PowerDuke has a command to list the victim's processes.CitationVolexity PowerDuke November 2016 |
| Enterprise | T1124 | System Time Discovery | PowerDuke has commands to get the time the machine was built, the time, and the time zone.CitationVolexity PowerDuke November 2016 |
| Enterprise | T1070.004 | File Deletion Sub-technique | PowerDuke has a command to write random data across a file and delete it.CitationVolexity PowerDuke November 2016 |
| Enterprise | T1105 | Ingress Tool Transfer | PowerDuke has a command to download a file.CitationVolexity PowerDuke November 2016 |
| Enterprise | T1564.004 | NTFS File Attributes Sub-technique | PowerDuke hides many of its backdoor payloads in an alternate data stream (ADS).CitationVolexity PowerDuke November 2016 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | PowerDuke runs |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | PowerDuke achieves persistence by using various Registry Run keys.CitationVolexity PowerDuke November 2016 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | a22d1973b8f4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Volexity PowerDuke November 2016
Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
Open source URL -
[2]
PowerDuke
(Citation: Volexity PowerDuke November 2016)
-
[3]
mitre-attack S0139Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.