Skip to content

Commit

Permalink
updates
Browse files Browse the repository at this point in the history
  • Loading branch information
@nasbench
nasbench committed Aug 1, 2024
1 parent fbfa4b3 commit e9ac06b
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 33 deletions.
33 changes: 12 additions & 21 deletions ...ry-Robin/image_load_side_load_oleview.yml → ...spberry_robin_side_load_aclui_oleview.yml
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,16 @@
title: Potential Raspberry Robin Aclui Dll SideLoading
id: 0f3a9db2-c17a-480e-a723-d1f1c547ab6a
status: experimental
description: Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.
description: |
Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.
references:
- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/
- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/
- https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/
- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html
author: Swachchhanda Shrawan Poudel
date: 2024/03/14
date: 2024/07/31
tags:
- detection.emerging_threats
- attack.defense_evasion
Expand All @@ -20,28 +21,18 @@ logsource:
category: image_load
product: windows
detection:
selection_image:
selection:
Image|endswith: '\OleView.exe'
selection_dll_loaded:
ImageLoaded|endswith: '\aclui.dll'
filter_oleview_path:
- Image|contains:
- '\Microsoft Visual Studio'
- '\Microsoft SDK'
- '\Windows Kit'
- '\Windows Resource Kit\'
filter_is_signed:
filter_main_legit_oleview_paths:
Image|contains:
- 'C:\Program Files (x86)\Windows Kits\'
- 'C:\Program Files\Microsoft SDKs\'
filter_optional_known_oleview_paths:
Image|contains: '\Windows Resource Kit\'
filter_main_is_signed:
Signed: 'true'
filter_signature_status:
SignatureStatus:
- 'Valid'
- 'errorChaining'
- 'errorCode_endpoint'
- 'errorExpired'
- 'trusted'
filter_signatue:
Signature: 'Microsoft Windows'
condition: all of selection_* and not 1 of filter_*
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
28 changes: 16 additions & 12 deletions ...egistry_set_internet_settings_zonemap.yml → ...obin_internet_settings_zonemap_tamper.yml
View file
Original file line number Diff line number Diff line change
@@ -1,43 +1,47 @@
title: Potential Raspberry Robin Registry Set Internet Settings Zonemap
title: Potential Raspberry Robin Registry Set Internet Settings ZoneMap
id: 16a4c7b3-4681-49d0-8d58-3e9b796dcb43
status: experimental
description: |
Detecting registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.
Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.
Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.
references:
- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt
- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect
- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/
author: Swachchhanda Shrawan Poudel
date: 2024/03/11
date: 2024/07/31
tags:
- detection.emerging_threats
- attack.t1112
- attack.defense_evasion
logsource:
category: registry_set
product: windows
definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\" and its subkey must be monitored'
definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\" and its sub keys must be monitored'
detection:
selection_suspicious_image:
selection_image:
- Image|contains:
- '\AppData\Local\Temp\'
- '\Downloads\'
- '\Windows\Temp\'
- '\Users\Public\'
- '\Windows\Temp\'
- Image|endswith: '\control.exe'
selection_suspicious_registry_object:
selection_registry_object:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\'
selection_registry_enable:
TargetObject|endswith:
- 'ProxyBypass'
- 'IntranetName'
- 'UNCAsIntranet'
- '\IntranetName'
- '\ProxyByPass'
- '\UNCAsIntranet'
Details|contains: 'DWORD (0x00000001)'
selection_registry_disable:
TargetObject|endswith: 'AutoDetect'
TargetObject|endswith: '\AutoDetect'
Details|contains: 'DWORD (0x00000000)'
condition: (all of selection_suspicious_*) and (1 of selection_registry_*)
condition: all of selection_* and 1 of selection_registry_*
falsepositives:
- Unknown
# Note: can be upgraded to medium after an initial baseline
Expand Down

0 comments on commit e9ac06b

Please sign in to comment.