Potential Raspberry Robin Dot Ending File
Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
Sigma rule (View on GitHub)
1title: Potential Raspberry Robin Dot Ending File
2id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a
3status: test
4description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
5author: Nasreddine Bencherchali (Nextron Systems)
6references:
7 - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
8date: 2022-10-28
9modified: 2023-02-05
10tags:
11 - attack.execution
12 - detection.emerging-threats
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 # Example 1: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-3f-raspberryrobin-runonce.png
19 # Example 2: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-5f-odbcconf.png
20 # Example 3: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-6f-fauppod-command-line.png
21 CommandLine|re: \\[a-zA-Z0-9]{1,32}\.[a-zA-Z0-9]{1,6}\.[ "']{1} # cannot match on end-of-line because of FPs with bind DNS notation
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
Microsoft has discovered recent activity indicating that the Raspberry Robin worm is part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread.
Read More
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation
- CVE-2021-1675 Print Spooler Exploitation IPC Access