Network Connections from the Command Line with no Parameters
It is unusual for these processes to attempt network connections with an empty command line, which can indicate malicious command and control (C2) activity. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Network Connections from the Command Line with no Parameters
2id: 1b49c5af-3774-4364-9c49-827fd59417cb
3status: experimental
4description: |
5 It is unusual for these processes to attempt network connections with an empty command line,
6 which can indicate malicious command and control (C2) activity. Part of the RedCanary 2024
7 Threat Detection Report.
8references:
9 - https://redcanary.com/threat-detection-report/threats/raspberry-robin/
10author: RedCanary, Sigma formatting by Micah Babinski
11date: 2024/03/21
12tags:
13 - attack.command_and_control
14logsource:
15 category: network_connection
16 product: windows
17detection:
18 selection:
19 Image|endswith:
20 - '\regsvr32.exe'
21 - '\rundll32.exe'
22 - '\dllhost.exe'
23 CommandLine: null
24 condition: selection
25falsepositives:
26 - Unknown
27level: low```
References
-
Discovered by Red Canary in 2021, Raspberry Robin is an activity cluster spread by external drives that leverages Windows Installer.
Read More
Related rules
- BITSAdmin Downloading Malicious Binaries
- CertUtil Downloading Malicious Binaries
- Certreq Downloading Malicious Binaries
- Operator Bring Your Own Tools
- SSH over port 443 with known Server and Client Strings