Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1010 | Application Window Discovery |
PowerDuke has a command to get text of the current foreground window.[1] |
|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
PowerDuke achieves persistence by using various Registry Run keys.[1] |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
PowerDuke runs |
Enterprise | T1485 | Data Destruction |
PowerDuke has a command to write random data across a file and delete it.[1] |
|
Enterprise | T1083 | File and Directory Discovery |
PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.[1] |
|
Enterprise | T1564 | .004 | Hide Artifacts: NTFS File Attributes |
PowerDuke hides many of its backdoor payloads in an alternate data stream (ADS).[1] |
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
PowerDuke has a command to write random data across a file and delete it.[1] |
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1027 | .003 | Obfuscated Files or Information: Steganography |
PowerDuke uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA).[1] |
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 | |
Enterprise | T1082 | System Information Discovery |
PowerDuke has commands to get information about the victim's name, build, version, serial number, and memory usage.[1] |
|
Enterprise | T1016 | System Network Configuration Discovery |
PowerDuke has a command to get the victim's domain and NetBIOS name.[1] |
|
Enterprise | T1033 | System Owner/User Discovery |
PowerDuke has commands to get the current user's name and SID.[1] |
|
Enterprise | T1124 | System Time Discovery |
PowerDuke has commands to get the time the machine was built, the time, and the time zone.[1] |
ID | Name | References |
---|---|---|
G0016 | APT29 |