{"description": "Enterprise techniques used by POWERSTATS, ATT&CK software S0223 (v2.3)", "name": "POWERSTATS (S0223)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) can retrieve usernames from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) uses PowerShell for obfuscation and execution.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: ClearSky MuddyWater Nov 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)(Citation: DHS CISA AA22-055A MuddyWater February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) can use VBScript (VBE) code for execution.(Citation: ClearSky MuddyWater Nov 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) can use JavaScript code for execution.(Citation: ClearSky MuddyWater Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) encoded C2 traffic with base64.(Citation: Unit 42 MuddyWater Nov 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) can upload files from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) can deobfuscate the main backdoor code.(Citation: ClearSky MuddyWater Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) has encrypted C2 traffic with RSA.(Citation: FireEye MuddyWater Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) can disable Microsoft Office Protected View by changing Registry keys.(Citation: FireEye MuddyWater Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) can delete all files on the C:\\, D:\\, E:\\ and, F:\\ drives using [PowerShell](https://attack.mitre.org/techniques/T1059/001) Remove-Item commands.(Citation: FireEye MuddyWater Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) can retrieve and execute additional [PowerShell](https://attack.mitre.org/techniques/T1059/001) payloads from the C2 server.(Citation: FireEye MuddyWater Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.(Citation: FireEye MuddyWater Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559.002", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) can use DDE to execute additional payloads on compromised hosts.(Citation: FireEye MuddyWater Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) has created a scheduled task named \"MicrosoftEdge\" to establish persistence.(Citation: ClearSky MuddyWater Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) uses character replacement, [PowerShell](https://attack.mitre.org/techniques/T1059/001) environment variables, and XOR encoding to obfuscate code. [POWERSTATS](https://attack.mitre.org/software/S0223)'s backdoor code is a multi-layer obfuscated, encoded, and compressed blob. (Citation: FireEye MuddyWater Mar 2018)(Citation: ClearSky MuddyWater Nov 2018) [POWERSTATS](https://attack.mitre.org/software/S0223) has used PowerShell code with custom string obfuscation (Citation: TrendMicro POWERSTATS V3 June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.016", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) has used useless code blocks to counter analysis.(Citation: TrendMicro POWERSTATS V3 June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) has used get_tasklist to discover processes on the compromised host.(Citation: TrendMicro POWERSTATS V3 June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.002", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) has connected to C2 servers through proxies.(Citation: FireEye MuddyWater Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) has established persistence through a scheduled task using the command \u201dC:\\Windows\\system32\\schtasks.exe\u201d /Create /F /SC DAILY /ST 12:00 /TN MicrosoftEdge /TR \u201cc:\\Windows\\system32\\wscript.exe C:\\Windows\\temp\\Windows.vbe\u201d.(Citation: ClearSky MuddyWater Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1029", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) can sleep for a given number of seconds.(Citation: FireEye MuddyWater Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) can retrieve screenshots from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) has detected security tools.(Citation: FireEye MuddyWater Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.005", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) can use Mshta.exe to execute additional payloads on compromised hosts.(Citation: FireEye MuddyWater Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) can retrieve OS name/architecture and computer/domain name information from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) can retrieve IP, network adapter configuration information, and domain from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) has the ability to identify the username on the compromised host.(Citation: TrendMicro POWERSTATS V3 June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[POWERSTATS](https://attack.mitre.org/software/S0223) can use WMI queries to retrieve data from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)(Citation: ClearSky MuddyWater Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by POWERSTATS", "color": "#66b1ff"}]}