Emerging Threatlowtest

Potential Raspberry Robin Registry Set Internet Settings ZoneMap

Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan PoudelCreated Wed Jul 3116a4c7b3-4681-49d0-8d58-3e9b796dcb432024

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Definition

Requirements: The registry key "\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\" and its sub keys must be monitored

Detection Logic

detection:
    selection_registry_image:
        - Image|contains:
              - '\AppData\Local\Temp\'
              - '\Downloads\'
              - '\Users\Public\'
              - '\Windows\Temp\'
        - Image|endswith: '\control.exe'
    selection_registry_object:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\'
    selection_value_enable:
        TargetObject|endswith:
            - '\IntranetName'
            - '\ProxyByPass'
            - '\UNCAsIntranet'
        Details|contains: 'DWORD (0x00000001)'
    selection_value_disable:
        TargetObject|endswith: '\AutoDetect'
        Details|contains: 'DWORD (0x00000000)'
    condition: all of selection_registry_* and 1 of selection_value_*