Raspberry Robin subsequent execution of commands
Detects raspberry robin subsequent execution of commands from
Sigma rule (View on GitHub)
1title: Raspberry Robin subsequent execution of commands
2description: Detects raspberry robin subsequent execution of commands from
3status: experimental
4date: 2022/05/06
5author: \@kostastsale
6references:
7 - https://redcanary.com/blog/raspberry-robin/
8logsource:
9 category: process_creation
10 product: windows
11detection:
12 selection1:
13 ParentImage|endswith:
14 - '*\fodhelper.exe'
15 Image|endswith:
16 - '*\rundll32.exe'
17 - '*\regsvr32.exe'
18 CommandLine|contains|all:
19 - 'shellexec_rundll'
20 - 'regsvr'
21 - 'odbcconf.exe'
22 selection2:
23 CommandLine|endswith:
24 - '-a'
25 - '/a'
26 - '-f'
27 - '/f'
28 - '-s'
29 - '/s'
30 selection3:
31 CommandLine|contains:
32 - 'vkipdse'
33 - 'setfiledsndir'
34 - 'installdriver'
35 condition: selection1 and selection2 and selection3
36falsepositives:
37 - Unlikely
38level: high
39tags:
40 - attack.execution
41 - attack.T1059.001
References
Related rules
- Raspberry Robin initial execution from external drive
- ChromeLoader Malware Detection
- Emotet loader execution via .lnk file