From 1e728d95982eb72b621d3d7bfbfda4db65ade91d Mon Sep 17 00:00:00 2001
From: CD-R0M <97048268+CD-R0M@users.noreply.github.com>
Date: Sat, 21 May 2022 17:07:31 -0400
Subject: [PATCH] Create proc_creation_win_rundll32_parent_explorer.yml

---
 ..._creation_win_rundll32_parent_explorer.yml | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml

diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
new file mode 100644
index 000000000..1fb438cd2
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
@@ -0,0 +1,23 @@
+title: Rundll32 With Suspicious Parent Process
+description: Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.
+status: experimental
+references:
+    - https://redcanary.com/blog/raspberry-robin/
+author: CD_ROM_
+date: 2022/05/21
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\rundll32.exe'
+        ParentImage|endswith: '\explorer.exe'
+    condition: selection
+fields:
+    - Image
+    - ParentImage
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.defense_evasion 
\ No newline at end of file