Raspberry Robin subsequent execution of commands
Detects raspberry robin subsequent execution of commands from
Sigma rule (View on GitHub)
1title: Raspberry Robin subsequent execution of commands
2id: d52d2e87-eb03-4fac-961d-eb616da79788
3description: Detects raspberry robin subsequent execution of commands from
4status: experimental
5date: 2022/05/06
6author: \@kostastsale
7references:
8 - https://redcanary.com/blog/raspberry-robin/
9logsource:
10 category: process_creation
11 product: windows
12detection:
13 selection1:
14 ParentImage|endswith:
15 - '*\fodhelper.exe'
16 Image|endswith:
17 - '*\rundll32.exe'
18 - '*\regsvr32.exe'
19 CommandLine|contains|all:
20 - 'shellexec_rundll'
21 - 'regsvr'
22 - 'odbcconf.exe'
23 selection2:
24 CommandLine|endswith:
25 - '-a'
26 - '/a'
27 - '-f'
28 - '/f'
29 - '-s'
30 - '/s'
31 selection3:
32 CommandLine|contains:
33 - 'vkipdse'
34 - 'setfiledsndir'
35 - 'installdriver'
36 condition: selection1 and selection2 and selection3
37falsepositives:
38 - Unlikely
39level: high
40tags:
41 - attack.execution
42 - attack.T1059.001
References
-
Raspberry Robin is a worm spread by external drives that leverages Windows Installer to download a malicious DLL.
Read More
Related rules
- ChromeLoader Malware Detection
- FakeUpdates/SocGholish Malware Detection
- Raspberry Robin initial execution from external drive
- Abuse of the Windows Server Update Services (WSUS) for lateral movement.
- Detecting Ammy Admin RMM Agent Execution