Yellow Cockatoo PowerShell Suspicious .NET Methods (RedCanary Threat Detection Report)
Detects suspicious Powershell script load contents associated with Yellow Cockatoo, AKA Solarmarker/Jupyter Stealer. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Yellow Cockatoo PowerShell Suspicious .NET Methods (RedCanary Threat Detection Report)
2id: e2c6d4c8-2e14-47a8-b22c-e4c9e7e65d0e
3status: experimental
4description: Detects suspicious Powershell script load contents associated with Yellow Cockatoo, AKA Solarmarker/Jupyter Stealer. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/threats/yellow-cockatoo/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.initial_access
11 - attack.defense_evasion
12 - attack.t1566
13logsource:
14 category: ps_script
15 product: windows
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection:
19 ScriptBlockText|contains:
20 - 'aescryptoserviceprovider'
21 - 'frombase64string'
22 - 'user32.dll'
23 condition: selection
24falsepositives:
25 - Unknown
26level: low```
References
-
Yellow Cockatoo is an activity cluster involving a remote access trojan (RAT) that filelessly delivers various other malware modules.
Read More
Related rules
- Yellow Cockatoo Powershell Startup Folder Persistence (RedCanary Threat Detection Report)
- Malicious QakBot Dropped File Creation (Sysmon)
- ISO File Write to Suspicious Folder (RedCanary Threat Detection Report)
- Potential Homoglyph Attack Using Lookalike Characters
- Processes Executing with Unusual Command Lines (RedCanary Threat Detection Report)