Raspberry Robin Subsequent Execution of Commands

calendar Sep 2, 2024 · attack.execution attack.t1059.001 detection.emerging-threats  ·
Share on: linkedin copy

Detects raspberry robin subsequent execution of commands.

Sigma rule (View on GitHub)

 1title: Raspberry Robin Subsequent Execution of Commands
 2id: d52d2e87-eb03-4fac-961d-eb616da79788
 3related:
 4    - id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a
 5      type: similar
 6status: test
 7description: Detects raspberry robin subsequent execution of commands.
 8references:
 9    - https://redcanary.com/blog/raspberry-robin/
10author: '@kostastsale'
11date: 2022-05-06
12tags:
13    - attack.execution
14    - attack.t1059.001
15    - detection.emerging-threats
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        ParentImage|endswith: '\fodhelper.exe'
22        Image|endswith:
23            - '\rundll32.exe'
24            - '\regsvr32.exe'
25        CommandLine|contains|all:
26            - 'odbcconf.exe'
27            - 'regsvr'
28            - 'shellexec_rundll'
29        CommandLine|contains:
30            - 'installdriver'
31            - 'setfiledsndir'
32            - 'vkipdse'
33        CommandLine|endswith|windash:
34            - '/a'
35            - '/f'
36            - '/s'
37    condition: selection
38falsepositives:
39    - Unlikely
40level: high

References

Related rules

to-top