PowerShell Suspicious .NET Methods
Detects the loading of suspicious .NET methods, seen in PowerShell script load content. This behavior is not limited to Yellow Cockatoo and can be applied universally for malicious PowerShell obfuscation attempts. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: PowerShell Suspicious .NET Methods
2id: 016c4ee2-ca34-474b-bfdc-43e017a29b47
3status: experimental
4description: |
5 Detects the loading of suspicious .NET methods, seen in PowerShell script load content. This
6 behavior is not limited to Yellow Cockatoo and can be applied universally for malicious
7 PowerShell obfuscation attempts. Part of the RedCanary 2024 Threat Detection Report.
8references:
9 - https://redcanary.com/threat-detection-report/threats/yellow-cockatoo/
10author: RedCanary, Sigma formatting by Micah Babinski
11date: 2024/03/21
12tags:
13 - attack.defense_evasion
14 - attack.t1140
15 - attack.t1574
16 - attack.t1574.013
17logsource:
18 product: windows
19 category: ps_script
20 definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22 selection:
23 ScriptBlockText|contains:
24 - 'aescryptoserviceprovider'
25 - 'frombase64string'
26 - 'user32.dll'
27 condition: selection
28falsepositives:
29 - Unknown
30level: low```
References
-
Yellow Cockatoo is an activity cluster involving a remote access trojan (RAT) that filelessly delivers various other malware modules.
Read More
Related rules
- Files Dropped to Program Files by Non-Priviledged Process
- PowerShell -encodedcommand Switch
- Base64 Encoding in CMD or Powershell
- PowerShell Base64 Encoding
- Application Bypass with DllRegisterServer Function