S0184: POWRUNER
Analyst context for executives and security teams
POWRUNER matters because it represents a Windows PowerShell-based command-and-control capability, not just a malware name. For leaders, the practical question is whether the organization can see and control script-driven activity that blends administration, discovery, file transfer, and web or DNS-based communications. The ATT&CK relationships show a broad post-compromise pattern: discovery of users, groups, processes, files, registry, network settings, security tools, plus execution through PowerShell, command shell, WMI, and scheduled tasks.
Executive priority
Prioritize POWRUNER as a validation case for Windows endpoint visibility, PowerShell governance, egress monitoring, and incident response readiness. Because ATT&CK links the software to OilRig and to discovery, execution, persistence, collection, and command-and-control techniques, it is useful for testing whether SOC and IR teams can distinguish legitimate administration from suspicious scripted behavior. It also supports audit and control discussions around script logging, privileged account monitoring, DNS/web egress oversight, and evidence retention.
Technical view
Validate coverage on Windows hosts for PowerShell execution, command shell activity, WMI use, scheduled task creation or modification, registry queries, account and group enumeration, process and file discovery, system and network discovery, screen capture activity, tool transfer, and C2 over web protocols or DNS. Since the official ATT&CK object provides no detection guidance, defenders should build detections from the related techniques rather than from a malware-specific signature alone. Give special attention to correlated sequences: PowerShell or cmd execution followed by discovery commands, security software enumeration, encoded content, outbound web/DNS traffic, or scheduled task persistence.
Likely telemetry
- PowerShell script block, module, transcription, and process command-line logs where enabled
- Windows process creation events for powershell, cmd, WMI-related processes, discovery utilities, and scheduled task utilities
- Windows Task Scheduler operational logs and task registration/change events
- Registry access/query telemetry from endpoint detection or Windows auditing where available
- Authentication and directory telemetry for local, domain account, and group enumeration
Detection direction
- Treat this as behavior-driven detection: correlate PowerShell, cmd, WMI, and scheduled task activity with discovery and outbound communications rather than relying on the POWRUNER name.
- Baseline legitimate administrative PowerShell and WMI use to reduce false positives, especially for IT operations, endpoint management, and software deployment workflows.
- Hunt for clustered discovery behavior involving registry, user, group, process, file, system, network configuration, network connection, and security software enumeration.
- Review outbound web and DNS telemetry for unusual host behavior, encoded data patterns, new destinations, or command-like periodicity, while recognizing that ATT&CK does not provide POWRUNER-specific indicators here.
- Confirm logging depth: many organizations collect process events but lack PowerShell script content, DNS detail, scheduled task history, or proxy visibility needed to make this behavior actionable.
Mitigation priorities
- First, ensure PowerShell and Windows command execution are governed with appropriate logging, least privilege, and administrative-use controls.
- Restrict and monitor WMI and scheduled task administration to expected users, systems, and management channels.
- Improve egress control and monitoring for web and DNS traffic from Windows endpoints, especially where direct outbound access is not required.
- Harden identity visibility around local and domain group/account enumeration, with focus on privileged groups and administrative workstations.
- Maintain endpoint detection coverage and tamper visibility so security software discovery or evasion preparation is more likely to be noticed.
Analyst notes and limits
ATT&CK identifies POWRUNER as a PowerShell script that sends and receives commands to and from a C2 server. The object is Windows-scoped and has no official detection text. The strongest defensive value comes from the relationships to ATT&CK techniques, which show the behaviors defenders should validate. ATT&CK also records that OilRig uses this object; that relationship can inform threat intelligence prioritization, but local exposure and relevance still depend on the organization’s environment and threat model.
This take is limited to the supplied ATT&CK fields, external references, and relationships. No malware indicators, command syntax, hashes, infrastructure, or official detection logic were provided. Several related techniques list platforms beyond Windows, but the POWRUNER object itself is supplied as Windows, so platform assumptions should remain Windows-focused unless local evidence shows otherwise.
POWRUNER
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1047 | Windows Management Instrumentation | |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1071.004 | DNS Sub-technique | |
| Enterprise | T1033 | System Owner/User Discovery | |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | |
| Enterprise | T1069.002 | Domain Groups Sub-technique | |
| Enterprise | T1069.001 | Local Groups Sub-technique | |
| Enterprise | T1087.002 | Domain Account Sub-technique | |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1012 | Query Registry | |
| Enterprise | T1049 | System Network Connections Discovery | |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | |
| Enterprise | T1113 | Screen Capture |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 942ab2f3348e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT34 Dec 2017
Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
Open source URL -
[2]
POWRUNER
(Citation: FireEye APT34 Dec 2017)
-
[3]
mitre-attack S0184Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.