Added rule to detect registry modificiactions actions, potential rasp…

…berry robin malware.

rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_internet_settings_zonemap.yml

@@ -0,0 +1,35 @@
+title: Potential Raspberry Robin Registry Set Internet Settings Zonemap
+id: 16a4c7b3-4681-49d0-8d58-3e9b796dcb43
+status: experimental
+description: Detecting registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.
+references:
+    - https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt
+    - https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt
+    - https://bazaar.abuse.ch/browse/signature/RaspberryRobin/
+author: Swachchhanda Shrawan Poudel
+date: 2024/03/11
+tags:
+    - detection.emerging_threats
+    - attack.t1112
+    - attack.defense_evasion
+logsource:
+    category: registry_set
+    product: windows
+    definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\" and its subkey must be monitored'
+detection:
+    selection_registry_object:
+        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\'
+    selection_enable:
+        TargetObject|endswith:
+            - 'ProxyBypass'
+            - 'IntranetName'
+            - 'UNCAsIntranet'
+        Details|contains: 'DWORD (0x00000001)'
+    selection_disable:
+        TargetObject|endswith: 'AutoDetect'
+        Details|contains: 'DWORD (0x00000000)'
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+# Note: can be upgraded to medium after an initial baseline
+level: low