Potential Raspberry Robin CPL Execution Activity
Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. This behavior was observed in multiple Raspberry-Robin variants.
Sigma rule (View on GitHub)
1title: Potential Raspberry Robin CPL Execution Activity
2id: 92020b88-9caf-464f-bad8-cd0fb0aa2a81
3status: experimental
4description: |
5 Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function.
6 This behavior was observed in multiple Raspberry-Robin variants.
7references:
8 - https://tria.ge/240226-fhbe7sdc39/behavioral1
9 - https://bazaar.abuse.ch/browse/signature/RaspberryRobin/
10author: Swachchhanda Shrawan Poudel
11date: 2024-03-07
12tags:
13 - detection.emerging-threats
14 - attack.defense-evasion
15 - attack.execution
16 - attack.t1218.011
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 # Example: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\xxxx\AppData\Local\Temp\xxxx.CPL"
22 selection_parent_img:
23 ParentImage|endswith:
24 - '\rundll32.exe'
25 - '\control.exe'
26 selection_img:
27 - Image|endswith: '\rundll32.exe'
28 - OriginalFileName: 'RUNDLL32.EXE'
29 selection_cli:
30 CommandLine|contains|all:
31 - 'shell32.dll'
32 - 'Control_RunDLL'
33 - '.CPL'
34 selection_path:
35 CommandLine|contains: '\AppData\Local\Temp\'
36 condition: all of selection_*
37falsepositives:
38 - Unknown
39level: high
References
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- Fireball Archer Install
- Potential Bumblebee Remote Thread Creation
- Sofacy Trojan Loader Activity
- ZxShell Malware