Suspicious Network Connection Binary No CommandLine

Aug 12, 2024 · attack.defense-evasion ·

Detects suspicious network connections made by a well-known Windows binary run with no command line parameters

Sigma rule (View on GitHub)

 1title: Suspicious Network Connection Binary No CommandLine
 2id: 20384606-a124-4fec-acbb-8bd373728613
 3status: test
 4description: Detects suspicious network connections made by a well-known Windows binary run with no command line parameters
 5references:
 6    - https://redcanary.com/blog/raspberry-robin/
 7author: Florian Roth (Nextron Systems)
 8date: 2022-07-03
 9tags:
10    - attack.defense-evasion
11logsource:
12    category: network_connection
13    product: windows
14detection:
15    selection:
16        Initiated: 'true'
17        Image|endswith:
18            - '\regsvr32.exe'
19            - '\rundll32.exe'
20            - '\dllhost.exe'
21        CommandLine|endswith:
22            - '\regsvr32.exe'
23            - '\rundll32.exe'
24            - '\dllhost.exe'
25    filter_no_cmdline:
26        CommandLine: ''
27    filter_null: # e.g. Sysmon has no CommandLine field in network events with ID 3
28        CommandLine: null
29    condition: selection and not 1 of filter*
30falsepositives:
31    - Unknown
32level: high

References

Raspberry Robin gets the worm early

Raspberry Robin is a worm spread by external drives that leverages Windows Installer to download a malicious DLL.

Read More

Suspicious Network Connection Binary No CommandLine

Sigma rule (View on GitHub)

References

Raspberry Robin gets the worm early

Related rules