S1173: PowerExchange
PowerExchange is a PowerShell backdoor that has been used by OilRig since at least 2023 including against government targets in the Middle East.[1]
Analyst context for executives and security teams
PowerExchange matters because it is a Windows PowerShell backdoor, and ATT&CK links it to execution, mail-protocol command and control, tool transfer, deobfuscation, and exfiltration over the C2 channel. For leaders, the practical issue is not just “malware exists”; it is whether the organization can see PowerShell activity, abnormal mail-protocol traffic, and data movement well enough to make fast containment decisions.
Executive priority
Prioritize this as a readiness check for Windows endpoint visibility, egress monitoring, and incident response decision-making. The object is associated with OilRig and reported use against Middle Eastern government targets, but local risk should be based on exposure, sector relevance, Windows estate criticality, and whether SOC teams can produce audit-ready evidence for PowerShell execution, C2-like mail traffic, file transfer, and possible exfiltration.
Technical view
ATT&CK provides no official detection text for PowerExchange, so defenders should validate coverage from the mapped behaviors: T1059.001 PowerShell execution, T1071.003 mail protocols for command and control, T1105 ingress tool transfer, T1140 deobfuscation/decoding, and T1041 exfiltration over C2. On Windows, confirm that endpoint telemetry captures PowerShell process creation, command line/script content where permitted, parent-child process context, file writes associated with transferred tools, and network connections using SMTP/S, POP3/S, or IMAP patterns inconsistent with normal host roles.
Likely telemetry
- Windows process creation and command-line telemetry
- PowerShell operational and script block logging where enabled
- Endpoint file creation/modification events for newly transferred tools or payloads
- Network flow, firewall, proxy, and secure web gateway logs showing outbound connections
- Email gateway or mail-protocol telemetry for SMTP/S, POP3/S, and IMAP activity
Detection direction
- Do not rely on a named-malware signature alone; map detections to the related ATT&CK techniques.
- Tune PowerShell analytics for suspicious execution context, encoded or obfuscated content, unusual child processes, and execution from atypical paths, while accounting for legitimate administration scripts.
- Baseline which Windows hosts should legitimately initiate mail-protocol traffic; investigate endpoints using SMTP/S, POP3/S, or IMAP outside expected mail-client or server roles.
- Correlate PowerShell execution with outbound mail-protocol sessions, new file creation, decoding/deobfuscation behavior, and unusual data volume over the same channel.
- Validate retention and analyst access to logs before an incident; the absence of official ATT&CK detection guidance makes local telemetry quality the deciding factor.
Mitigation priorities
- Harden and monitor PowerShell use on Windows, including logging and administrative control of script execution where operationally feasible.
- Restrict unnecessary outbound mail-protocol traffic from endpoints and enforce egress paths through monitored infrastructure.
- Use application control and least privilege to reduce unauthorized script and tool execution.
- Ensure endpoint and network controls can preserve evidence for IR: process lineage, script content where allowed, file artifacts, and network session metadata.
- Prepare response playbooks for suspected PowerShell backdoor activity that include host isolation criteria, credential review, C2 blocking, and scoping for exfiltration over the same channel.
Analyst notes and limits
The ATT&CK object identifies PowerExchange as a PowerShell backdoor used by OilRig since at least 2023 and cites Symantec reporting. Relationship context is especially important here because the malware object has no tactics or official detection text; the mapped techniques provide the best defensive planning frame.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not establish current exploitation, customer exposure, complete malware functionality, or guaranteed detection coverage. Local environment baselines are required to distinguish malicious PowerShell and mail-protocol activity from legitimate administration and business use.
PowerExchange
PowerExchange is a PowerShell backdoor that has been used by OilRig since at least 2023 including against government targets in the Middle East.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | PowerExchange can decode Base64-encoded files and call `WriteAllBytes` to write the files to compromised hosts.CitationSymantec Crambus OCT 2023 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | PowerExchange can exfiltrate files via its email C2 channel.CitationSymantec Crambus OCT 2023 |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | PowerExchange can receive and send back the results of executed C2 commands through email.CitationSymantec Crambus OCT 2023 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | PowerExchange can decode and decrypt C2 commands received via email.CitationSymantec Crambus OCT 2023 |
| Enterprise | T1059.001 | PowerShell Sub-technique | PowerExchange can use PowerShell to execute commands received from C2.CitationSymantec Crambus OCT 2023 |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | bff09f9754ef… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Crambus OCT 2023
Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.
Open source URL -
[2]
mitre-attack S1173Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.