Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New rules related with Raspberry Robin TTPs #4763

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

New rules related with Raspberry Robin TTPs #4763

wants to merge 5 commits into from

Conversation

swachchhanda000
Copy link
Contributor

@swachchhanda000 swachchhanda000 commented Mar 11, 2024
edited

Summary of the Pull Request

Added rule to detect registry modifications actions and aclui dll loaded by Oleview.exe, potential raspberry robin malware's activity.

Changelog

new: Potential Raspberry Robin Registry Set Internet Settings Zonemap
new: Potential Raspberry Robin aclui dll SideLoading

Example Log Event

** Potential Raspberry Robin Registry Set Internet Settings Zonemap**
image

Potential Raspberry Robin aclui dll SideLoading
Screenshot 2024-03-14 at 8 06 36 PM

more details: https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@nasbench nasbench added the Work In Progress Some changes are needed label Mar 11, 2024
@nasbench nasbench self-assigned this Mar 11, 2024
@swachchhanda000 swachchhanda000 force-pushed the registry_set_internet_settings_zonemap branch from 4df5507 to d145f9a Compare March 12, 2024 11:36
@swachchhanda000
Copy link
Contributor Author

@nasbench, I have added suspicious paths and image to reduce the fps. I observed other processes exhibiting such activities in my env.

@swachchhanda000 swachchhanda000 force-pushed the registry_set_internet_settings_zonemap branch from 5b50dc0 to e9b83e2 Compare March 12, 2024 11:55
@nasbench nasbench added the Author Input Required changes the require information from original author of the rules label Mar 14, 2024
@swachchhanda000 swachchhanda000 force-pushed the registry_set_internet_settings_zonemap branch from 7ae0cf2 to b6c07bf Compare March 14, 2024 14:20
@swachchhanda000 swachchhanda000 changed the title Added rule to detect registry modifications actions, potential raspberry robin malware. New rules related with Raspberry Robin TTPs Mar 14, 2024
@swachchhanda000 swachchhanda000 force-pushed the registry_set_internet_settings_zonemap branch from b6c07bf to c3045f0 Compare March 14, 2024 14:27
@swachchhanda000
Copy link
Contributor Author

@nasbench, I have updated the description and added a new rule

@swachchhanda000 swachchhanda000 force-pushed the registry_set_internet_settings_zonemap branch from c3045f0 to 12e2a8d Compare March 14, 2024 14:31
@swachchhanda000
Copy link
Contributor Author

Hi @nasbench,
I read an article at https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/. It discusses the possibility of sideloading through OleView.exe. I believe creating a more generic rule in the main rules repository could be beneficial. What are your thoughts on this idea? OR, is there already a pre-existing rule to detect such events?

@nasbench
Copy link
Member

l. What are your thoughts on this idea

What do you mean by a more generic rule in the rule repo? Also please refrain from adding rules to an already reviewed PR.

@swachchhanda000
Copy link
Contributor Author

HI @nasbench,

Sorry for that. won't happen from next time.
What i mean by more generic is in this rule i have specified dll name because it was detected as a Raspberry Robin IOC. But there are still other dlls that can be sideloaded by Oleview.exe. So, I was thinking of creating a rule where image would be Oleview.exe, but there won't be the dll name. Instead we can filter out legitimately signed DLLs by Microsoft Co-Operation which will gave us only malicious dlls. We can maybe add suspicious path just to be in safe side as well.
I hope you understands my concerns.

Thank you

@nasbench
Copy link
Member

HI @nasbench,

Sorry for that. won't happen from next time. What i mean by more generic is in this rule i have specified dll name because it was detected as a Raspberry Robin IOC. But there are still other dlls that can be sideloaded by Oleview.exe. So, I was thinking of creating a rule where image would be Oleview.exe, but there won't be the dll name. Instead we can filter out legitimately signed DLLs by Microsoft Co-Operation which will gave us only malicious dlls. We can maybe add suspicious path just to be in safe side as well. I hope you understands my concerns.

Thank you

Yeah we can create such a rule. But filtering MS only DLLs can be a basic approach. We need to double check which DLLs can be sideloaded and if all of them are "signed". Adding the paths would a good best effort to start with.

Add such a rule to this PR and we can work on making it good.

@swachchhanda000 swachchhanda000 force-pushed the registry_set_internet_settings_zonemap branch from 3e67dbc to fbfa4b3 Compare April 1, 2024 09:18
@swachchhanda000
Copy link
Contributor Author

Hi @nasbench,
I have updated the rule to include a filter for legitimate paths, but I haven't removed the aclui.dll because I don't want to contaminate this Raspberry Robin TTP. Therefore, I believe we can research and add other sideloadable DLLs with a separate Pull Request for a different rule.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench nasbench left review comments

Assignees

@nasbench nasbench

Labels
Author Input Required changes the require information from original author of the rules Emerging-Threats Rules Work In Progress Some changes are needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@swachchhanda000 @nasbench