Raspberry Robin initial execution from external drive

May 6, 2022 · attack.execution attack.T1059.001 ·

Detects execution from the external drive using cmd

Sigma rule (View on GitHub)

 1title: Raspberry Robin initial execution from external drive
 2description: Detects execution from the external drive using cmd
 3status: experimental
 4date: 2022/05/6
 5author: \@kostastsale
 6references:
 7    - https://redcanary.com/blog/raspberry-robin/
 8logsource:
 9    category: process_creation
10    product: windows
11detection:
12    selection1:
13        ParentImage|endswith:
14            - '*\cmd.exe'
15        ParentCommandLine|contains:
16            - '/r'
17        Image|endswith:
18            - '*\msiexec.exe'
19        CommandLine|contains:
20            - '/q'
21            - '-q'
22    selection2:
23        CommandLine|contains:
24            - 'http:'
25            - 'https:'
26        ParentCommandLine|endswith:
27            - '.usb'
28            - '.ico'
29            - '.lnk'
30            - '.bin'
31            - '.sv'
32            - '.lo'
33    condition: selection1 and selection2
34falsepositives:
35    - Unlikely
36level: high
37tags:
38    - attack.execution
39    - attack.T1059.001

References

Raspberry Robin gets the worm early

Raspberry Robin is a worm spread by external drives that leverages Windows Installer to download a malicious DLL.

Read More

Raspberry Robin initial execution from external drive

Sigma rule (View on GitHub)

References

Raspberry Robin gets the worm early

Related rules