Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0145: POWERSOURCE

POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. [1] [2]

EnterpriseS0145MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

POWERSOURCE matters because it represents a Windows PowerShell backdoor delivered through spearphishing and macro-enabled documents, with follow-on behavior tied to registry discovery, persistence, DNS command-and-control, tool transfer, and hiding data with NTFS attributes. For leaders, the practical issue is not the malware name itself but whether finance, legal, SEC-reporting, and other high-value business users are protected by controls and telemetry that can expose malicious Office macro/VBS-to-PowerShell activity and unusual DNS-based communications.

Executive priority

Treat this as a validation case for Windows endpoint visibility, phishing resilience, and DNS monitoring around sensitive business functions. The ATT&CK record cites 2017 campaigns against personnel involved in SEC filings and a relationship showing FIN7 use, so executives should ask whether high-risk reporting and finance workflows have stronger email, endpoint, identity, and incident-response coverage than standard users. It is also useful for audit and resilience discussions: can the organization prove it monitors PowerShell execution, registry-based persistence, DNS egress, and suspicious file attributes on Windows systems?

Technical view

SOC and IR teams should use POWERSOURCE as a coverage test across the related ATT&CK behaviors: T1059.001 PowerShell execution, T1012 registry query activity, T1547.001 Run Keys/Startup Folder persistence, T1071.004 DNS command-and-control, T1105 ingress tool transfer, and T1564.004 NTFS file attribute abuse. Because MITRE does not provide a dedicated detection section for this software object, detection engineering should be relationship-driven: correlate document or macro/VBS execution leading to PowerShell, PowerShell activity that queries or modifies registry locations, new or suspicious Run Key/startup persistence, DNS traffic patterns that may carry command-and-control, file transfer activity following execution, and evidence of hidden data through NTFS attributes. Tune carefully for legitimate administrative PowerShell and normal DNS volume.

Likely telemetry

  • Email security and attachment detonation results for spearphishing and macro-enabled documents
  • Windows endpoint process creation and command-line telemetry, especially Office, VBS/script host, and PowerShell parent-child relationships
  • PowerShell operational logs, script content logging where enabled, and PowerShell execution policy/context evidence
  • Windows Registry access and modification telemetry, including Run Keys and startup persistence locations
  • DNS query and response logs from endpoints, resolvers, and network sensors

Detection direction

  • Validate that macro or script-driven PowerShell execution is visible, not just blocked or logged at the email gateway.
  • Build correlation around Office or VBS launching PowerShell, followed by registry queries, persistence changes, DNS activity, or file transfer behavior.
  • Review DNS monitoring for unusual domains, query patterns, volume, or encoded-looking content, while accounting for high normal DNS noise.
  • Monitor Run Key and Startup Folder changes with context about the modifying process and user account.
  • Hunt for PowerShell activity that performs discovery or downloads/transfers content, but tune out approved administration and software management workflows.

Mitigation priorities

  • Prioritize phishing and macro-risk reduction for users involved in sensitive financial, legal, and regulatory reporting workflows.
  • Harden and monitor PowerShell usage on Windows endpoints, with administrative exceptions governed and logged.
  • Restrict and monitor script execution paths involving Office, VBS, and PowerShell where business operations allow.
  • Control persistence opportunities by monitoring and governing Registry Run Keys and Startup Folder changes.
  • Improve DNS egress visibility and filtering so DNS-based command-and-control is not a logging gap.
Analyst notes and limits

The supplied ATT&CK object identifies POWERSOURCE as a heavily obfuscated, modified PowerShell backdoor related to DNS_TXT_Pwnage and notes observed delivery through enabled macros that dropped a VBS script. External references indicate overlap with DNSMessenger reporting, and the relationship set links the software to FIN7 and to several ATT&CK techniques. The strongest defensive value is using those relationships to validate telemetry and response playbooks across the infection chain.

MITRE provides no official detection text for POWERSOURCE in the supplied fields, and the malware object itself has no specified tactics. This take therefore derives defensive guidance from the official description, external references, Windows platform field, and supplied technique relationships. Local environment baselines are required to distinguish malicious PowerShell, DNS, registry, and file-system activity from legitimate administration.

Official MITRE ATT&CK definition

POWERSOURCE

POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. [1] [2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

6 rows
Domain ID Name Relationship / procedure
Enterprise T1059.001 PowerShell Sub-technique

POWERSOURCE is a PowerShell backdoor.CitationFireEye FIN7 March 2017CitationCisco DNSMessenger March 2017
Enterprise T1012 Query Registry

POWERSOURCE queries Registry keys in preparation for setting Run keys to achieve persistence.CitationCisco DNSMessenger March 2017
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

POWERSOURCE achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access.CitationCisco DNSMessenger March 2017
Enterprise T1564.004 NTFS File Attributes Sub-technique

If the victim is using PowerShell 3.0 or later, POWERSOURCE writes its decoded payload to an alternate data stream (ADS) named kernel32.dll that is saved in %PROGRAMDATA%\Windows\.CitationCisco DNSMessenger March 2017
Enterprise T1071.004 DNS Sub-technique

POWERSOURCE uses DNS TXT records for C2.CitationFireEye FIN7 March 2017CitationCisco DNSMessenger March 2017
Enterprise T1105 Ingress Tool Transfer

POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.CitationFireEye FIN7 March 2017
Associated objects

Groups, software, and campaigns

Group Enterprise

G0046: FIN7

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]

Relationship explorer

All related ATT&CK context

uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1012: Query Registry Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Group G0046: FIN7 Enterprise uses · Technique T1564.004: NTFS File Attributes Enterprise uses · Technique T1071.004: DNS Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
7c4cac3e899238f6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 7c4cac3e8992…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FireEye FIN7 March 2017

    Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.

    Open source URL
  2. [2]
    Cisco DNSMessenger March 2017

    Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.

    Open source URL
  3. [3]
    DNSMessenger

    Based on similar descriptions of functionality, it appears S0145, as named by FireEye, is the same as the first stages of a backdoor named DNSMessenger by Cisco's Talos Intelligence Group. However, FireEye appears to break DNSMessenger into two parts: S0145 and S0146. (Citation: Cisco DNSMessenger March 2017) (Citation: FireEye FIN7 March 2017)

  4. [4]
    POWERSOURCE

    (Citation: FireEye FIN7 March 2017)

  5. [5]
    mitre-attack S0145
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use