sigmahighHunting

Suspicious Network Connection Binary No CommandLine

Detects suspicious network connections made by a well-known Windows binary run with no command line parameters

Detection Query

selection:
  Initiated: "true"
  Image|endswith:
    - \regsvr32.exe
    - \rundll32.exe
    - \dllhost.exe
  CommandLine|endswith:
    - \regsvr32.exe
    - \rundll32.exe
    - \dllhost.exe
filter_no_cmdline:
  CommandLine: ""
filter_null:
  CommandLine: null
condition: selection and not 1 of filter*

Author

Florian Roth (Nextron Systems)

Created

2022-07-03

Data Sources

windowsNetwork Connection Events

Platforms

windows

References

https://redcanary.com/blog/raspberry-robin/

Tags

attack.defense-evasion

Raw Content

title: Suspicious Network Connection Binary No CommandLine
id: 20384606-a124-4fec-acbb-8bd373728613
status: test
description: Detects suspicious network connections made by a well-known Windows binary run with no command line parameters
references:
    - https://redcanary.com/blog/raspberry-robin/
author: Florian Roth (Nextron Systems)
date: 2022-07-03
tags:
    - attack.defense-evasion
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith:
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\dllhost.exe'
        CommandLine|endswith:
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\dllhost.exe'
    filter_no_cmdline:
        CommandLine: ''
    filter_null: # e.g. Sysmon has no CommandLine field in network events with ID 3
        CommandLine: null
    condition: selection and not 1 of filter*
falsepositives:
    - Unknown
level: high