S0184: POWRUNER
Analyst context for executives and security teams
POWRUNER matters because it represents a Windows PowerShell-based command-and-control capability, not just a malware name. For leaders, the practical question is whether the organization can see and control script-driven activity that blends administration, discovery, file transfer, and web or DNS-based communications. The ATT&CK relationships show a broad post-compromise pattern: discovery of users, groups, processes, files, registry, network settings, security tools, plus execution through PowerShell, command shell, WMI, and scheduled tasks.
Executive priority
Prioritize POWRUNER as a validation case for Windows endpoint visibility, PowerShell governance, egress monitoring, and incident response readiness. Because ATT&CK links the software to OilRig and to discovery, execution, persistence, collection, and command-and-control techniques, it is useful for testing whether SOC and IR teams can distinguish legitimate administration from suspicious scripted behavior. It also supports audit and control discussions around script logging, privileged account monitoring, DNS/web egress oversight, and evidence retention.
Technical view
Validate coverage on Windows hosts for PowerShell execution, command shell activity, WMI use, scheduled task creation or modification, registry queries, account and group enumeration, process and file discovery, system and network discovery, screen capture activity, tool transfer, and C2 over web protocols or DNS. Since the official ATT&CK object provides no detection guidance, defenders should build detections from the related techniques rather than from a malware-specific signature alone. Give special attention to correlated sequences: PowerShell or cmd execution followed by discovery commands, security software enumeration, encoded content, outbound web/DNS traffic, or scheduled task persistence.
Likely telemetry
- PowerShell script block, module, transcription, and process command-line logs where enabled
- Windows process creation events for powershell, cmd, WMI-related processes, discovery utilities, and scheduled task utilities
- Windows Task Scheduler operational logs and task registration/change events
- Registry access/query telemetry from endpoint detection or Windows auditing where available
- Authentication and directory telemetry for local, domain account, and group enumeration
Detection direction
- Treat this as behavior-driven detection: correlate PowerShell, cmd, WMI, and scheduled task activity with discovery and outbound communications rather than relying on the POWRUNER name.
- Baseline legitimate administrative PowerShell and WMI use to reduce false positives, especially for IT operations, endpoint management, and software deployment workflows.
- Hunt for clustered discovery behavior involving registry, user, group, process, file, system, network configuration, network connection, and security software enumeration.
- Review outbound web and DNS telemetry for unusual host behavior, encoded data patterns, new destinations, or command-like periodicity, while recognizing that ATT&CK does not provide POWRUNER-specific indicators here.
- Confirm logging depth: many organizations collect process events but lack PowerShell script content, DNS detail, scheduled task history, or proxy visibility needed to make this behavior actionable.
Mitigation priorities
- First, ensure PowerShell and Windows command execution are governed with appropriate logging, least privilege, and administrative-use controls.
- Restrict and monitor WMI and scheduled task administration to expected users, systems, and management channels.
- Improve egress control and monitoring for web and DNS traffic from Windows endpoints, especially where direct outbound access is not required.
- Harden identity visibility around local and domain group/account enumeration, with focus on privileged groups and administrative workstations.
- Maintain endpoint detection coverage and tamper visibility so security software discovery or evasion preparation is more likely to be noticed.
Analyst notes and limits
ATT&CK identifies POWRUNER as a PowerShell script that sends and receives commands to and from a C2 server. The object is Windows-scoped and has no official detection text. The strongest defensive value comes from the relationships to ATT&CK techniques, which show the behaviors defenders should validate. ATT&CK also records that OilRig uses this object; that relationship can inform threat intelligence prioritization, but local exposure and relevance still depend on the organization’s environment and threat model.
This take is limited to the supplied ATT&CK fields, external references, and relationships. No malware indicators, command syntax, hashes, infrastructure, or official detection logic were provided. Several related techniques list platforms beyond Windows, but the POWRUNER object itself is supplied as Windows, so platform assumptions should remain Windows-focused unless local evidence shows otherwise.
POWRUNER
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | POWRUNER may collect network configuration data by running |
| Enterprise | T1071.001 | Web Protocols Sub-technique | POWRUNER can use HTTP for C2 communications.CitationFireEye APT34 Dec 2017CitationFireEye APT34 Webinar Dec 2017 |
| Enterprise | T1047 | Windows Management Instrumentation | POWRUNER may use WMI when collecting information about a victim.CitationFireEye APT34 Dec 2017 |
| Enterprise | T1057 | Process Discovery | POWRUNER may collect process information by running |
| Enterprise | T1071.004 | DNS Sub-technique | POWRUNER can use DNS for C2 communications.CitationFireEye APT34 Dec 2017CitationFireEye APT34 Webinar Dec 2017 |
| Enterprise | T1033 | System Owner/User Discovery | POWRUNER may collect information about the currently logged in user by running |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | POWRUNER may collect information on the victim's anti-virus software.CitationFireEye APT34 Dec 2017 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | POWRUNER may collect domain group information by running |
| Enterprise | T1069.001 | Local Groups Sub-technique | POWRUNER may collect local group information by running |
| Enterprise | T1087.002 | Domain Account Sub-technique | POWRUNER may collect user account information by running |
| Enterprise | T1083 | File and Directory Discovery | POWRUNER may enumerate user directories on a victim.CitationFireEye APT34 Dec 2017 |
| Enterprise | T1082 | System Information Discovery | POWRUNER may collect information about the system by running |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | POWRUNER can execute commands from its C2 server.CitationFireEye APT34 Dec 2017 |
| Enterprise | T1059.001 | PowerShell Sub-technique | POWRUNER is written in PowerShell.CitationFireEye APT34 Dec 2017 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | POWRUNER can use base64 encoded C2 communications.CitationFireEye APT34 Dec 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | POWRUNER can download or upload files from its C2 server.CitationFireEye APT34 Dec 2017 |
| Enterprise | T1012 | Query Registry | POWRUNER may query the Registry by running |
| Enterprise | T1049 | System Network Connections Discovery | POWRUNER may collect active network connections by running |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | POWRUNER persists through a scheduled task that executes it every minute.CitationFireEye APT34 Dec 2017 |
| Enterprise | T1113 | Screen Capture | POWRUNER can capture a screenshot from a victim.CitationFireEye APT34 Dec 2017 |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 942ab2f3348e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT34 Dec 2017
Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
Open source URL -
[2]
POWRUNER
(Citation: FireEye APT34 Dec 2017)
-
[3]
mitre-attack S0184Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.