Detect RaspBerry Robin malware cmd invoking msiexec
Raspberry Robin Malware Cmd Invoking Msiexec
Query
let rbr01 = @'[A-Za-z0-9]+://[A-Za-z0-9]+\.[A-Za-z0-9]+:8080/[A-Za-z0-9]+/[A-Za-z0-9]+\?[A-Za-z0-9]+';
let rbr02 = @'[A-Za-z0-9]+://[A-Za-z0-9]+\.[A-Za-z0-9]+:8080/[A-Za-z0-9]+/[A-Za-z0-9]+\=[A-Za-z0-9]+';
let rbr03 = @'[A-Za-z0-9]+://[A-Za-z0-9]+\.[A-Za-z0-9]+:8080/[A-Za-z0-9]+/[A-Za-z0-9]+';
DeviceProcessEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName has @'cmd.exe'
| where ProcessCommandLine has "msiexec"
| where ProcessCommandLine matches regex rbr01 or ProcessCommandLine matches regex rbr02 or ProcessCommandLine matches regex rbr03
| project Timestamp, DeviceName, AccountName, FileName, InitiatingProcessFileName, ProcessCommandLineAbout this query
Detect RaspBerry Robin malware cmd invoking msiexec
Description
A detection opportunity by taking into consideration the fact that RaspBerry Robin domains used have the following structure:
http://xx.xx:8080/xx/hostname?username
http://xx.xx:8080/xx/hostname=username
http://xx.xx:8080/xx/hostname
The query also incorporates the fact that the parent process is a command prompt and
References
- https://redcanary.com/blog/raspberry-robin/
- https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html
Microsoft 365 Defender & Microsoft Sentinel
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 27/04/2022 | Initial publish |
| 1.1 | 23/05/2023 | Transformed to template, minor changes |
Explanation
The query detects instances of the RaspBerry Robin malware by looking for specific patterns in URLs and command line arguments. It focuses on cases where the parent process is a command prompt and the command line includes the "msiexec" command. The query retrieves information such as the timestamp, device name, account name, file name, initiating process file name, and process command line for further analysis.
Details

Michalis Michalos
Released: August 14, 2023
Tables
DeviceProcessEvents
Keywords
DevicesIntuneUser
Operators
wherelet@'hasmatchesregexorproject