Analytics Story: Trickbot

Date: 2021-04-20 ID: 16f93769-8342-44c0-9b1d-f131937cce8e Author: Rod Soto, Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.

Why it matters

trickbot banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS where target security Microsoft Defender to prevent its detection and removal. steal Verizon credentials and targeting banks using its multi component modules that collect and exfiltrate data.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Suspicious Process File Path Create or Modify System Process TTP
Cobalt Strike Named Pipes Process Injection TTP
Executable File Written in Administrative SMB Share SMB/Windows Admin Shares TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Executables Or Script Creation In Temp Path Masquerading Anomaly
Mshta spawning Rundll32 OR Regsvr32 Process Mshta TTP
Powershell Remote Thread To Known Windows Process Process Injection TTP
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task TTP
Suspicious Rundll32 StartW Rundll32 TTP
Trickbot Named Pipe Process Injection TTP
Wermgr Process Create Executable File Obfuscated Files or Information TTP
Wermgr Process Spawned CMD Or Powershell Process Command and Scripting Interpreter TTP
Windows Attempt To Stop Security Service Disable or Modify Tools TTP
Windows Office Product Loading VBE7 DLL Spearphishing Attachment Anomaly
Windows Office Product Spawned Uncommon Process Spearphishing Attachment TTP
Windows Process Execution in Temp Dir Create or Modify System Process, Match Legitimate Name or Location Anomaly
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Name or Location TTP
Wermgr Process Connecting To IP Check Web Services IP Addresses TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5145 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1