Potential Raspberry Robin Registry Set Internet Settings ZoneMap
Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.
Sigma rule (View on GitHub)
1title: Potential Raspberry Robin Registry Set Internet Settings ZoneMap
2id: 16a4c7b3-4681-49d0-8d58-3e9b796dcb43
3status: experimental
4description: |
5 Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.
6 Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.
7references:
8 - https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt
9 - https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt
10 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass
11 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet
12 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites
13 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect
14 - https://bazaar.abuse.ch/browse/signature/RaspberryRobin/
15author: Swachchhanda Shrawan Poudel
16date: 2024-07-31
17tags:
18 - detection.emerging-threats
19 - attack.t1112
20 - attack.defense-evasion
21logsource:
22 category: registry_set
23 product: windows
24 definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\" and its sub keys must be monitored'
25detection:
26 selection_registry_image:
27 - Image|contains:
28 - '\AppData\Local\Temp\'
29 - '\Downloads\'
30 - '\Users\Public\'
31 - '\Windows\Temp\'
32 - Image|endswith: '\control.exe'
33 selection_registry_object:
34 TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\'
35 selection_value_enable:
36 TargetObject|endswith:
37 - '\IntranetName'
38 - '\ProxyByPass'
39 - '\UNCAsIntranet'
40 Details|contains: 'DWORD (0x00000001)'
41 selection_value_disable:
42 TargetObject|endswith: '\AutoDetect'
43 Details|contains: 'DWORD (0x00000000)'
44 condition: all of selection_registry_* and 1 of selection_value_*
45falsepositives:
46 - Unknown
47# Note: can be upgraded to medium after an initial baseline
48level: low
References
Related rules
- OceanLotus Registry Activity
- OilRig APT Activity
- OilRig APT Registry Persistence
- OilRig APT Schedule Task Persistence - Security
- OilRig APT Schedule Task Persistence - System