The PowerTool is a Windows security utility used for detecting and analyzing rootkits, bootkits, hidden processes, and kernel-level malware.
However, recent threat intelligence indicates that multiple ransomware operators are abusing PowerTool to disable security products before deploying ransomware or performing data exfiltration.

Threat Overview

Observed Abuse

Attackers have been leveraging the PowerTool to terminate services and processes prior to launching payloads. Various threat actors have been confirmed to use PowerTool in their ransomware campaigns, including 

• Akira
• Play
• Hunter International

Threat research teams at Broadcom have observed multiple pre-ransomware activities involving PowerTool, where it was used to neutralize defences, thereby enabling:

• Ransomware deployment
• Data exfiltration
• Secondary malware deployment

Current Status

• PowerTool currently has a good reputation, which allows it to execute due to reputation-based trust.
• Despite its benign reputation, PowerTool is actively used by attackers to disable protection layers.

Implementation

1. 1. PowerTool will be blocked statically using the VID/signature: Hacktool.PowerTool
   2. Reputation-based changes and SDS blocking will extend protection to CB (Carbon Black) product as well.

If the tool has to be used, you can exclude the PowerTool detections using:

• Hash-based exclusion, or
• VID (Hacktool.PowerTool) exclusion