Skip to content

S0393 PowerStallion

PowerStallion is a lightweight PowerShell backdoor used by Turla, possibly as a recovery access tool to install other backdoors.1

Item Value
ID S0393
Associated Names
Type MALWARE
Version 1.1
Created 21 June 2019
Last Modified 09 February 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell PowerStallion uses PowerShell loops to iteratively check for available commands in its OneDrive C2 server.1
enterprise T1070 Indicator Removal -
enterprise T1070.006 Timestomp PowerStallion modifies the MAC times of its local log files to match that of the victim’s desktop.ini file.1
enterprise T1027 Obfuscated Files or Information PowerStallion uses a XOR cipher to encrypt command output written to its OneDrive C2 server.1
enterprise T1057 Process Discovery PowerStallion has been used to monitor process lists.1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication PowerStallion uses Microsoft OneDrive as a C2 server via a network drive mapped with net use.1

Groups That Use This Software

ID Name References
G0010 Turla 1

References