chore: update metadata

swachchhanda000 · Mar 7, 2024 · 84b02ce · 84b02ce
1 parent 6421021
commit 84b02ce
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/...berry_robin_shell32_cpl_file_exection.yml → ...y_robin_rundll32_shell32_cpl_exection.yml b/...berry_robin_shell32_cpl_file_exection.yml → ...y_robin_rundll32_shell32_cpl_exection.yml
@@ -1,11 +1,14 @@
-title: Suspicious Shell32 DLL Execution - Raspberry Robin
+title: Potential Raspberry Robin CPL Execution Activity
 id: 92020b88-9caf-464f-bad8-cd0fb0aa2a81
 status: experimental
-description: Detects shell32.dll executing a .CPL file from a  suspicious directory which is seen in raspberry-robin variant.
+description: |
+    Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function.
+    This behavior was observed in multiple Raspberry-Robin variants.
 references:
     - https://tria.ge/240226-fhbe7sdc39/behavioral1
+    - https://bazaar.abuse.ch/browse/signature/RaspberryRobin/
 author: Swachchhanda Shrawan Poudel
-date: 2024/03/05
+date: 2024/03/07
 tags:
     - detection.emerging_threats
     - attack.defense_evasion
@@ -14,7 +17,8 @@ tags:
 logsource:
     category: process_creation
     product: windows
-detection: # "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL"
+detection:
+    # Example: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\xxxx\AppData\Local\Temp\xxxx.CPL"
     selection_parent_img:
         ParentImage|endswith:
             - '\rundll32.exe'