Raspberry Robin Initial Execution From External Drive
Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
Sigma rule (View on GitHub)
1title: Raspberry Robin Initial Execution From External Drive
2id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a
3related:
4 - id: d52d2e87-eb03-4fac-961d-eb616da79788
5 type: similar
6status: test
7description: Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
8references:
9 - https://redcanary.com/blog/raspberry-robin/
10author: '@kostastsale'
11date: 2022-05-06
12tags:
13 - attack.execution
14 - attack.t1059.001
15 - detection.emerging-threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_parent:
21 ParentImage|endswith: '\cmd.exe'
22 ParentCommandLine|contains: '/r'
23 ParentCommandLine|endswith:
24 - '.bin'
25 - '.ico'
26 - '.lnk'
27 - '.lo'
28 - '.sv'
29 - '.usb'
30 selection_child_img:
31 Image|endswith: '\msiexec.exe'
32 CommandLine|contains|windash: '/q'
33 selection_child_http:
34 CommandLine|contains:
35 - 'http:'
36 - 'https:'
37 condition: all of selection_*
38falsepositives:
39 - Unlikely
40level: high
References
Related rules
- ChromeLoader Malware Execution
- Raspberry Robin Subsequent Execution of Commands
- FakeUpdates/SocGholish Activity
- Exploited CVE-2020-10189 Zoho ManageEngine
- Greenbug Espionage Group Indicators