S0441: PowerShower
PowerShower is a PowerShell backdoor used by Inception for initial reconnaissance and to download and execute second stage payloads.[1][2]
Analyst context for executives and security teams
PowerShower matters because it represents a Windows PowerShell backdoor used for early reconnaissance and for downloading and executing follow-on payloads. For leaders, the practical issue is not the malware name alone; it is whether the organization can see and investigate suspicious PowerShell activity, host discovery, registry-based persistence, web-based command-and-control, and possible exfiltration over the same channel.
Executive priority
Prioritize this as a readiness check for Windows endpoint visibility, PowerShell governance, and incident response evidence. The ATT&CK relationships show behaviors across execution, discovery, persistence, command-and-control, collection, exfiltration, and stealth. Security leaders should ask whether SOC and IR teams can reconstruct PowerShell execution, registry changes, outbound web communications, file deletion, archiving activity, and user/system discovery from retained telemetry. This also supports audit and compliance evidence around endpoint logging, least privilege, and monitoring of administrative scripting tools.
Technical view
PowerShower is documented by ATT&CK as a PowerShell backdoor associated through relationships with Inception and with techniques including PowerShell execution, Visual Basic execution, system/user/network/process discovery, registry modification, Registry Run Keys or Startup Folder persistence, hidden windows, file deletion, standard encoding, archive via utility, web-protocol C2, and exfiltration over C2. SOC teams should validate detections around unusual PowerShell command lines and script block content, registry Run key changes, encoded command patterns, discovery command bursts, archive creation before network activity, and outbound HTTP/S-like traffic from unexpected processes. IR teams should confirm they can preserve endpoint, registry, PowerShell, process, file, and network evidence before cleanup, especially because file deletion is part of the related behavior set.
Likely telemetry
- Windows process creation events with command-line arguments
- PowerShell operational logs, including script block and module logging where enabled
- Windows Registry auditing for Run keys and other modified keys
- Endpoint detection telemetry for hidden-window process execution and child-process relationships
- File system events for dropped files, archive creation, and deletion
Detection direction
- Validate coverage for PowerShell execution rather than relying on malware-name signatures only.
- Correlate discovery behaviors such as user, system, process, and network configuration discovery with suspicious PowerShell or Visual Basic execution.
- Tune for encoded or obfuscated command content, while accounting for legitimate administrative scripts that may also use encoding.
- Monitor Registry Run key and startup-folder changes, especially when paired with PowerShell-launched payloads or unusual parent processes.
- Look for archive creation followed by outbound web traffic, which may support investigation of collection and exfiltration-over-C2 relationships.
Mitigation priorities
- Establish and enforce PowerShell logging and monitoring baselines on Windows systems.
- Apply least privilege so ordinary users and scripts cannot freely modify persistence-related registry locations.
- Restrict or monitor script execution and administrative scripting activity according to business need.
- Harden endpoint controls around suspicious child processes, hidden-window execution, and unauthorized file deletion or archive utilities.
- Use egress monitoring and web traffic inspection policies appropriate to the environment to identify unusual outbound C2-like behavior.
Analyst notes and limits
ATT&CK does not provide a dedicated detection section for PowerShower, so this take is derived from the official malware description, Windows platform field, external references, and the supplied relationships to techniques and the Inception group. The most defensible approach is behavior-based validation across the related techniques rather than assuming a single indicator or signature will be sufficient.
The supplied object does not include specific indicators, command examples, hashes, infrastructure, or an official detection analytic. Tactics are not specified directly on the malware object. Local validation is required to determine whether the organization collects the needed telemetry and whether legitimate administrative PowerShell use creates expected false positives.
PowerShower
PowerShower is a PowerShell backdoor used by Inception for initial reconnaissance and to download and execute second stage payloads.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | PowerShower has collected system information on the infected host.CitationUnit 42 Inception November 2018 |
| Enterprise | T1070.004 | File Deletion Sub-technique | PowerShower has the ability to remove all files created during the dropper process.CitationUnit 42 Inception November 2018 |
| Enterprise | T1057 | Process Discovery | PowerShower has the ability to deploy a reconnaissance module to retrieve a list of the active processes.CitationKaspersky Cloud Atlas August 2019 |
| Enterprise | T1059.001 | PowerShell Sub-technique | PowerShower is a backdoor written in PowerShell.CitationUnit 42 Inception November 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | PowerShower sets up persistence with a Registry run key.CitationUnit 42 Inception November 2018 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | PowerShower has used a PowerShell document stealer module to pack and exfiltrate .txt, .pdf, .xls or .doc files smaller than 5MB that were modified during the past two days.CitationKaspersky Cloud Atlas August 2019 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | PowerShower has the ability to encode C2 communications with base64 encoding.CitationUnit 42 Inception November 2018CitationKaspersky Cloud Atlas August 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | PowerShower has sent HTTP GET and POST requests to C2 servers to send information and receive instructions.CitationUnit 42 Inception November 2018 |
| Enterprise | T1112 | Modify Registry | PowerShower has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process.CitationUnit 42 Inception November 2018 |
| Enterprise | T1016 | System Network Configuration Discovery | PowerShower has the ability to identify the current Windows domain of the infected host.CitationKaspersky Cloud Atlas August 2019 |
| Enterprise | T1033 | System Owner/User Discovery | PowerShower has the ability to identify the current user on the infected host.CitationKaspersky Cloud Atlas August 2019 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | PowerShower has added a registry key so future powershell.exe instances are spawned with coordinates for a window position off-screen by default.CitationUnit 42 Inception November 2018 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | PowerShower has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration.CitationKaspersky Cloud Atlas August 2019 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | PowerShower has the ability to save and execute VBScript.CitationUnit 42 Inception November 2018 |
Groups, software, and campaigns
G0100: Inception
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 783f5f2dc152… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 Inception November 2018
Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
Open source URL -
[2]
Kaspersky Cloud Atlas August 2019
GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
Open source URL -
[3]
mitre-attack S0441Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.