Query Details

Detect RaspBerry Robin malware cmd invoking msiexec

Raspberry Robin Malware Cmd Invoking Msiexec

Query

let rbr01 = @'[A-Za-z0-9]+://[A-Za-z0-9]+\.[A-Za-z0-9]+:8080/[A-Za-z0-9]+/[A-Za-z0-9]+\?[A-Za-z0-9]+';
let rbr02 = @'[A-Za-z0-9]+://[A-Za-z0-9]+\.[A-Za-z0-9]+:8080/[A-Za-z0-9]+/[A-Za-z0-9]+\=[A-Za-z0-9]+';
let rbr03 = @'[A-Za-z0-9]+://[A-Za-z0-9]+\.[A-Za-z0-9]+:8080/[A-Za-z0-9]+/[A-Za-z0-9]+';
DeviceProcessEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName has @'cmd.exe'
| where ProcessCommandLine has "msiexec"
| where ProcessCommandLine matches regex rbr01 or ProcessCommandLine matches regex rbr02 or ProcessCommandLine matches regex rbr03 
| project Timestamp, DeviceName, AccountName, FileName, InitiatingProcessFileName, ProcessCommandLine

About this query

Detect RaspBerry Robin malware cmd invoking msiexec

Description

A detection opportunity by taking into consideration the fact that RaspBerry Robin domains used have the following structure:

http://xx.xx:8080/xx/hostname?username
http://xx.xx:8080/xx/hostname=username
http://xx.xx:8080/xx/hostname

The query also incorporates the fact that the parent process is a command prompt and

References

Microsoft 365 Defender & Microsoft Sentinel

Versioning

VersionDateComments
1.027/04/2022Initial publish
1.123/05/2023Transformed to template, minor changes

Explanation

The query detects instances of the RaspBerry Robin malware by looking for specific patterns in URLs and command line arguments. It focuses on cases where the parent process is a command prompt and the command line includes the "msiexec" command. The query retrieves information such as the timestamp, device name, account name, file name, initiating process file name, and process command line for further analysis.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: August 14, 2023

Tables

DeviceProcessEvents

Keywords

DevicesIntuneUser

Operators

wherelet@'hasmatchesregexorproject

Actions

GitHub