Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0393: PowerStallion

PowerStallion is a lightweight PowerShell backdoor used by Turla, possibly as a recovery access tool to install other backdoors.[1]

EnterpriseS0393MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

PowerStallion matters because it represents a lightweight Windows PowerShell backdoor associated in ATT&CK with Turla and described as possible recovery access for installing other backdoors. For leaders, the key risk is not the malware name alone; it is whether the organization can reliably see suspicious PowerShell execution, process discovery, stealthy file changes, and web-service-based command-and-control patterns before they become persistent re-entry paths.

Executive priority

Prioritize this as a resilience and incident-readiness validation item for Windows environments. Ask whether SOC, IR, and compliance teams can prove collection and review of PowerShell activity, process execution context, file timestamp anomalies, and outbound web-service communications. Because the ATT&CK object has no official detection guidance, coverage should be evidenced through local telemetry and tested detections mapped to the related techniques rather than assumed from tool ownership.

Technical view

PowerStallion is documented by ATT&CK as a lightweight PowerShell backdoor on Windows, with relationships to PowerShell execution, process discovery, obfuscated files or information, timestomping, and bidirectional communication over legitimate web services. Detection engineering should validate behavior-based analytics around unusual PowerShell command/script activity, PowerShell spawning or inspecting processes, suspicious file metadata changes, encoded or obfuscated content, and outbound traffic patterns consistent with external web-service C2. IR teams should treat findings as potential access-maintenance behavior and look for additional backdoors or follow-on tooling, consistent with the supplied description that it may be used as recovery access.

Likely telemetry

  • Windows PowerShell logs, including script block/module/command-line evidence where available
  • Process creation telemetry showing parent-child process relationships and command-line arguments
  • Endpoint file metadata and filesystem telemetry capable of supporting timestamp anomaly review
  • Security tool alerts or logs related to obfuscated or encoded scripts/files
  • Network, proxy, DNS, and web gateway logs for outbound connections to external web services

Detection direction

  • Map detections to the related ATT&CK techniques: T1059.001, T1057, T1027, T1070.006, and T1102.002.
  • Validate that PowerShell logging is actually enabled and retained on Windows systems; lack of script and command context is a major blind spot for this object.
  • Tune for behavior chains rather than single indicators: PowerShell execution followed by process discovery, obfuscated content, timestamp changes, or unusual outbound web-service communication is higher value than PowerShell execution alone.
  • Account for false positives from administrators, automation, monitoring scripts, and legitimate web services by baselining known management activity and approved destinations.
  • Because ATT&CK provides no official detection text for PowerStallion, require local testing, telemetry review, and analyst feedback before claiming coverage.

Mitigation priorities

  • Harden and monitor PowerShell use on Windows, prioritizing logging, constrained administrative use, and review of unnecessary script execution paths.
  • Reduce unmanaged outbound web access where feasible and ensure proxy/DNS/web telemetry can support investigation of legitimate-service communication patterns.
  • Maintain endpoint controls and retention sufficient to investigate process discovery, obfuscated scripts/files, and timestamp manipulation.
  • Prepare IR playbooks for suspected PowerShell backdoor activity, including host isolation criteria, credential/session review, and hunting for additional backdoors or recovery mechanisms.
  • Use the Turla relationship as threat-intelligence context for prioritization, while avoiding attribution conclusions without independent evidence from the local incident.
Analyst notes and limits

The decision value is in validating behavior coverage across PowerShell execution, discovery, stealth, and command-and-control rather than building a malware-name-only alert. The supplied relationship to Turla is useful for intelligence context, but local telemetry is required before making any attribution or exposure statement.

The official ATT&CK object does not provide detection guidance, aliases, labels, or explicit tactics for the malware object. The summary is therefore constrained to the official description, Windows platform field, external reference, and listed relationships. No claim is made that PowerStallion is currently active, present in any environment, or guaranteed to be detected by any control.

Official MITRE ATT&CK definition

PowerStallion

PowerStallion is a lightweight PowerShell backdoor used by Turla, possibly as a recovery access tool to install other backdoors.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

5 rows
Domain ID Name Relationship / procedure
Enterprise T1102.002 Bidirectional Communication Sub-technique

PowerStallion uses Microsoft OneDrive as a C2 server via a network drive mapped with net use.CitationESET Turla PowerShell May 2019
Enterprise T1027 Obfuscated Files or Information

PowerStallion uses a XOR cipher to encrypt command output written to its OneDrive C2 server.CitationESET Turla PowerShell May 2019
Enterprise T1059.001 PowerShell Sub-technique

PowerStallion uses PowerShell loops to iteratively check for available commands in its OneDrive C2 server.CitationESET Turla PowerShell May 2019
Enterprise T1070.006 Timestomp Sub-technique

PowerStallion modifies the MAC times of its local log files to match that of the victim's desktop.ini file.CitationESET Turla PowerShell May 2019
Enterprise T1057 Process Discovery

PowerStallion has been used to monitor process lists.CitationESET Turla PowerShell May 2019
Associated objects

Groups, software, and campaigns

Group Enterprise

G0010: Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]

Relationship explorer

All related ATT&CK context

uses · Technique T1102.002: Bidirectional Communication Enterprise uses · Technique T1027: Obfuscated Files or Information Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1070.006: Timestomp Enterprise uses · Group G0010: Turla Enterprise uses · Technique T1057: Process Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
f2c1f9c4f20a5ba0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle f2c1f9c4f20a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ESET Turla PowerShell May 2019

    Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.

    Open source URL
  2. [2]
    mitre-attack S0393
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use