Yellow Cockatoo Powershell Startup Folder Persistence (RedCanary Threat Detection Report)
Detects .lnk files created by Powershell in the startup folder. Associated with (but not unique to) Yellow Cockatoo, AKA Solarmarker/Jupyter Stealer. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Yellow Cockatoo Powershell Startup Folder Persistence (RedCanary Threat Detection Report)
2id: 874acb07-02f7-4c9f-8069-e0659c6d3fad
3status: experimental
4description: |
5 Detects .lnk files created by Powershell in the startup folder. Associated with (but not unique to)
6 Yellow Cockatoo, AKA Solarmarker/Jupyter Stealer. Part of the RedCanary 2023 Threat Detection Report.
7references:
8 - https://redcanary.com/threat-detection-report/threats/yellow-cockatoo/
9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2023/05/10
11tags:
12 - attack.initial_access
13 - attack.defense_evasion
14 - attack.t1566
15logsource:
16 category: file_event
17 product: windows
18detection:
19 selection_img:
20 Image|endswith: '\powershell.exe'
21 selection_filepath:
22 TargetFilename|contains: 'start menu\programs\startup'
23 selection_file_ext:
24 TargetFilename|endswith: '.lnk'
25 condition: all of selection*
26falsepositives:
27 - Unknown
28level: low```
References
-
Yellow Cockatoo is an activity cluster involving a remote access trojan (RAT) that filelessly delivers various other malware modules.
Read More
Related rules
- Yellow Cockatoo PowerShell Suspicious .NET Methods (RedCanary Threat Detection Report)
- Malicious QakBot Dropped File Creation (Sysmon)
- ISO File Write to Suspicious Folder (RedCanary Threat Detection Report)
- Potential Homoglyph Attack Using Lookalike Characters
- Processes Executing with Unusual Command Lines (RedCanary Threat Detection Report)