From 3cb577ddfc18d9a827e878c77d2dfbeea11a19ea Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 28 Oct 2022 17:25:25 +0200
Subject: [PATCH] Raspberry Robin Related Rules

---
 ...roc_creation_win_msiexec_install_quiet.yml | 30 +++++++------
 ...oc_creation_win_msiexec_install_remote.yml | 44 +++++++++++++++++++
 ...raspberry_robin_single_dot_ending_file.yml | 23 ++++++++++
 ...eation_win_susp_shellexec_rundll_usage.yml | 14 +++---
 4 files changed, 93 insertions(+), 18 deletions(-)
 create mode 100644 rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml

diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml
index 252d352e2..f513b41bc 100644
--- a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml
+++ b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml
@@ -6,7 +6,7 @@ description: |
     Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
 author: frack113
 date: 2022/01/16
-modified: 2022/10/23
+modified: 2022/10/28
 references:
     - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
@@ -15,21 +15,25 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection_msi:
-        Image|endswith: '\msiexec.exe'
+    selection_img:
+        - Image|endswith: '\msiexec.exe'
+        - OriginalFileName: 'msiexec.exe'
+    selection_cli:
+        # Note that there is no space before and after the arguments because it's possible to write a commandline as such
+        # Example: msiexec -q/i [MSI Package]
         CommandLine|contains:
-            - ' /i'
-            - ' -i'
-            - ' /package'
-            - ' -package'
-            - ' /a'
-            - ' -a'
-            - ' /j'
-            - ' -j'
+            - '/i'
+            - '-i'
+            - '/package'
+            - '-package'
+            - '/a'
+            - '-a'
+            - '/j'
+            - '-j'
     selection_quiet:
         CommandLine|contains:
-            - ' /q'
-            - ' -q'
+            - '/q'
+            - '-q'
     condition: all of selection_*
 falsepositives:
     - Legitimate script
diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml b/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml
new file mode 100644
index 000000000..1dc06c2c7
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml
@@ -0,0 +1,44 @@
+title: Suspicious Msiexec Quiet Install From Remote Location
+id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c
+related:
+    - id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
+      type: similar
+status: experimental
+description: Detects usage of Msiexec.exe to install packages hosted remotely quietly
+author: Nasreddine Bencherchali
+date: 2022/10/28
+references:
+    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\msiexec.exe'
+        - OriginalFileName: 'msiexec.exe'
+    selection_cli:
+        # Note that there is no space before and after the arguments because it's possible to write a commandline as such
+        # Example: msiexec -q/i [MSI Package]
+        CommandLine|contains:
+            - '/i'
+            - '-i'
+            - '/package'
+            - '-package'
+            - '/a'
+            - '-a'
+            - '/j'
+            - '-j'
+    selection_quiet:
+        CommandLine|contains:
+            - '/q'
+            - '-q'
+    selection_remote:
+        - 'http'
+        - '\\\\'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1218.007
diff --git a/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml b/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml
new file mode 100644
index 000000000..06d4cf294
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml
@@ -0,0 +1,23 @@
+title: Raspberry Robin Dot Ending File
+id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a
+status: experimental
+description: Detects commandline containing reference to files ending with a ".". This scheme has been seen used by raspberry-robin
+author: Nasreddine Bencherchali
+references:
+    - https://twitter.com/MichalKoczwara/status/1553634816016498688
+date: 2022/10/28
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|re: "\\.[a-zA-Z0-9]{1,6}\\.[ |\"|']{0,1}"
+    filter:
+        # This filter is used to exclude double extension files
+        CommandLine|re: "\\.[a-zA-Z0-9]{1,6}\\.[a-zA-Z0-9]{1}"
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.execution
diff --git a/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml
index e1c22b98d..8145ac57e 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml
@@ -1,27 +1,31 @@
-title: Suspicious Usage Of ShellExec_rundll
+title: Suspicious Usage Of ShellExec_RundDLL
 id: d87bd452-6da1-456e-8155-7dc988157b7d
-description: Detects suspicious usage of the ShellExec_rundll function to launch other commands as seen in the the raspberry-robin attack
+description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
 status: experimental
 references:
     - https://redcanary.com/blog/raspberry-robin/
+    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
 author: Nasreddine Bencherchali
 date: 2022/09/01
+modified: 2022/10/28
 logsource:
     category: process_creation
     product: windows
 detection:
     selection_openasrundll:
-        CommandLine|contains: ',ShellExec_rundll'
+        CommandLine|contains: 'ShellExec_RunDLL'
     selection_suspcli:
         CommandLine|contains:
             # Add more LOLBINs and Susp Paths
             - 'regsvr32'
-            - 'C:\Users\Public\'
+            - 'msiexec'
+            - '\Users\Public\'
             - 'odbcconf'
             - '\Desktop\'
+            - '\Temp\'
     condition: all of selection_*
 falsepositives:
     - Unknown
-level: medium
+level: high
 tags:
     - attack.defense_evasion