Raspberry Robin Initial Execution From External Drive

Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".

Sigma rule (View on GitHub)

 1title: Raspberry Robin Initial Execution From External Drive
 2id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a
 3related:
 4    - id: d52d2e87-eb03-4fac-961d-eb616da79788
 5      type: similar
 6status: test
 7description: Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
 8references:
 9    - https://redcanary.com/blog/raspberry-robin/
10author: '@kostastsale'
11date: 2022-05-06
12tags:
13    - attack.execution
14    - attack.t1059.001
15    - detection.emerging-threats
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_parent:
21        ParentImage|endswith: '\cmd.exe'
22        ParentCommandLine|contains: '/r'
23        ParentCommandLine|endswith:
24            - '.bin'
25            - '.ico'
26            - '.lnk'
27            - '.lo'
28            - '.sv'
29            - '.usb'
30    selection_child_img:
31        Image|endswith: '\msiexec.exe'
32        CommandLine|contains|windash: '/q'
33    selection_child_http:
34        CommandLine|contains:
35            - 'http:'
36            - 'https:'
37    condition: all of selection_*
38falsepositives:
39    - Unlikely
40level: high

References

Related rules

to-top