Register to stream ATT&CKcon 2.0 October 29-30

PowerStallion

PowerStallion is a lightweight PowerShell backdoor used by Turla, possibly as a recovery access tool to install other backdoors.[1]

ID: S0393
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1027 Obfuscated Files or Information PowerStallion uses a XOR cipher to encrypt command output written to its OneDrive C2 server. [1]
Enterprise T1086 PowerShell PowerStallion uses PowerShell loops to iteratively check for available commands in its OneDrive C2 server. [1]
Enterprise T1057 Process Discovery PowerStallion has been used to monitor process lists. [1]
Enterprise T1064 Scripting PowerStallion uses PowerShell loops to iteratively check for available commands in its OneDrive C2 server. [1]
Enterprise T1099 Timestomp PowerStallion modifies the MAC times of its local log files to match that of the victim's desktop.ini file. [1]
Enterprise T1102 Web Service PowerStallion uses Microsoft OneDrive as a C2 server via a network drive mapped with net use. [1]

Groups That Use This Software

ID Name References
G0010 Turla [1]

References