Potential Raspberry Robin Dot Ending File
Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
Sigma rule (View on GitHub)
1title: Potential Raspberry Robin Dot Ending File
2id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a
3status: test
4description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
5author: Nasreddine Bencherchali (Nextron Systems)
6references:
7 - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
8date: 2022/10/28
9modified: 2023/02/05
10tags:
11 - attack.execution
12 - detection.emerging_threats
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 # Example 1: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-3f-raspberryrobin-runonce.png
19 # Example 2: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-5f-odbcconf.png
20 # Example 3: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-6f-fauppod-command-line.png
21 CommandLine|re: \\[a-zA-Z0-9]{1,32}\.[a-zA-Z0-9]{1,6}\.[ "']{1} # cannot match on end-of-line because of FPs with bind DNS notation
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- Potential CVE-2022-29072 Exploitation Attempt
- Potential CVE-2022-26809 Exploitation Attempt
- Potential Exploitation Attempt From Office Application
- Mint Sandstorm - Log4J Wstomcat Process Execution
- Potential APT FIN7 POWERHOLD Execution