Suspicious Network Connection Binary No CommandLine
Detects suspicious network connections made by a well-known Windows binary run with no command line parameters
Sigma rule (View on GitHub)
1title: Suspicious Network Connection Binary No CommandLine
2id: 20384606-a124-4fec-acbb-8bd373728613
3status: test
4description: Detects suspicious network connections made by a well-known Windows binary run with no command line parameters
5references:
6 - https://redcanary.com/blog/raspberry-robin/
7author: Florian Roth (Nextron Systems)
8date: 2022/07/03
9tags:
10 - attack.defense_evasion
11logsource:
12 category: network_connection
13 product: windows
14detection:
15 selection:
16 Initiated: 'true'
17 Image|endswith:
18 - '\regsvr32.exe'
19 - '\rundll32.exe'
20 - '\dllhost.exe'
21 CommandLine|endswith:
22 - '\regsvr32.exe'
23 - '\rundll32.exe'
24 - '\dllhost.exe'
25 filter_no_cmdline:
26 CommandLine: ''
27 filter_null: # e.g. Sysmon has no CommandLine field in network events with ID 3
28 CommandLine: null
29 condition: selection and not 1 of filter*
30falsepositives:
31 - Unknown
32level: high
References
-
Raspberry Robin is a worm spread by external drives that leverages Windows Installer to download a malicious DLL.
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Created And Deleted Within A Close Time Frame
- Account Tampering - Suspicious Failed Logon Reasons