Possible Raspberry Robin DLL Download Using msiexec (RedCanary Threat Detection Report)
Detects msiexec used to download a potentially-malicious Raspberry Robin DLL. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Possible Raspberry Robin DLL Download Using msiexec (RedCanary Threat Detection Report)
2id: 60a7350b-38b0-4f44-b2e8-e7b284516bd0
3status: experimental
4description: Detects msiexec used to download a potentially-malicious Raspberry Robin DLL. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/threats/raspberry-robin/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.command_and_control
11 - attack.t1105
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_img:
17 Image|endswith: '\msiexec.exe'
18 selection_cmd_1:
19 CommandLine|contains:
20 - 'http:'
21 - 'https:'
22 selection_cmd_2:
23 CommandLine|contains|windash: '/q'
24 condition: all of selection_*
25falsepositives:
26 - Unknown
27level: low```
References
-
Discovered by Red Canary in 2021, Raspberry Robin is an activity cluster spread by external drives that leverages Windows Installer.
Read More
Related rules
- Command Line Execution with Suspicious URL and AppData Strings
- Suspicious Desktopimgdownldr Command
- MsiExec Web Install
- PowerShell DownloadFile
- Suspicious Registry Key Added: LanmanServer Parameters