PowerShell Startup Folder Persistence
Yellow Cockatoo Windows Startup folder for persistence. Not unique to Yellow Cockatoo, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: PowerShell Startup Folder Persistence
2id: 07fce851-4cab-4ea5-880c-daf9d18bb180
3status: experimental
4description: |
5 Yellow Cockatoo Windows Startup folder for persistence. Not unique to Yellow Cockatoo,
6 this detection opportunity is likely to identify persistence mechanisms in multiple
7 threats. In the context of Yellow Cockatoo, this persistence mechanism eventually
8 launches the command-line script that leads to the installation of a malicious DLL. Part
9 of the RedCanary 2024 Threat Detection Report.
10references:
11 - https://redcanary.com/threat-detection-report/threats/yellow-cockatoo/
12author: RedCanary, Sigma formatting by Micah Babinski
13date: 2024/03/21
14tags:
15 - attack.persistence
16 - attack.privilege_escalation
17 - attack.t1547
18 - attack.t1547.001
19logsource:
20 category: file_event
21 product: windows
22detection:
23 selection1:
24 Image|endswith: '\powershell.exe'
25 TargetFilename|endswith: '.lnk'
26 selection2:
27 TargetFilename|contains: 'start menu\programs\startup'
28 condition: all of selection*
29falsepositives:
30 - Unknown
31level: low```
References
-
Yellow Cockatoo is an activity cluster involving a remote access trojan (RAT) that filelessly delivers various other malware modules.
Read More
Related rules
- Non-depmod Process Modifying modules.dep
- Shells Modifying Files in Known Linux Kernel Modules Directories
- Systemd Loading a Linux Kernel Module Using insmod
- Systemd Loading a Linux Kernel Module Using modprobe
- Potential Suspicious Activity Using SeCEdit