blue tangle

  Raspberry Robin aka "QNAP Worm" is a suspected pay-per-install malware botnet linked to threat actor DEV-0856. Raspberry Robin spreads through infected USB, users click a .lnk file on the USB and from there msiexec.exe grabs a remotely hosted .msi file and quietly installs it, which is the next stage of the Raspberry Robin payload. One of the interesting things about Raspberry Robin is that it uses a very distinctive, low effort, form of command line obfuscation, mixed case (or "alternating caps"). You can see what that looks like below, from what looks like a Defender detection in the attached screenshot.     I wanted to come up with a way to detect mixed case obfuscation in Splunk, you can see what I came up with below:   index=winlogs EventCode=4688 Creator_Process_Name=*\\cmd. exe | rex field=Process_Command_Line max_match=0 "(?<upper>[A-Z])" | rex field=Process_Command_Line max_match=0 "(?<lower>[a-z])" | eval count_upper=m

  In part one of these blog entries on command line obfuscation in Windows ( which you can find here , if you haven't read it), we covered some real basic SPL for detecting the usage of double quotes to potentially circumvent SIEM detections. One of the things I forgot to mention then is that counting specific characters in fields has a lot of potential uses within Splunk searches if you are prepared to think outside the box a little. For instance let's say you were looking at Apache web logs and you were wanting to find instances of directory (or path) traversal, someone appending something like "../../../../../../../../../../../../etc/passwd%00" to a url to try to get at your valuable files, you could modify the SPL as follows:   index=apache sourcetype=access_combined | eval traversalCount=mvcount(split( uri,"."))-1 | where traversalCount >=4 | stats values(uri) BY traversalCount clientip status   This would give you any instances of uris containing