Raspberry Robin subsequent execution of commands

May 6, 2022 · attack.execution attack.T1059.001 ·

Detects raspberry robin subsequent execution of commands from

Sigma rule (View on GitHub)

 1title: Raspberry Robin subsequent execution of commands
 2description: Detects raspberry robin subsequent execution of commands from  
 3status: experimental
 4date: 2022/05/06
 5author: \@kostastsale
 6references:
 7    - https://redcanary.com/blog/raspberry-robin/
 8logsource:
 9    category: process_creation
10    product: windows
11detection:
12    selection1:
13        ParentImage|endswith:
14            - '*\fodhelper.exe'
15        Image|endswith:
16            - '*\rundll32.exe'
17            - '*\regsvr32.exe'
18        CommandLine|contains|all:
19            - 'shellexec_rundll'
20            - 'regsvr'
21            - 'odbcconf.exe'
22    selection2:
23        CommandLine|endswith:
24            - '-a'
25            - '/a'
26            - '-f'
27            - '/f'
28            - '-s'
29            - '/s'
30    selection3:
31        CommandLine|contains:
32            - 'vkipdse'
33            - 'setfiledsndir'
34            - 'installdriver'
35    condition: selection1 and selection2 and selection3
36falsepositives:
37    - Unlikely
38level: high
39tags:
40    - attack.execution
41    - attack.T1059.001

References

Raspberry Robin gets the worm early

Raspberry Robin is a worm spread by external drives that leverages Windows Installer to download a malicious DLL.

Read More

Raspberry Robin subsequent execution of commands

Sigma rule (View on GitHub)

References

Raspberry Robin gets the worm early

Related rules