Analytics Story: Trickbot

Date: 2021-04-20 ID: 16f93769-8342-44c0-9b1d-f131937cce8e Author: Rod Soto, Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.

Why it matters

trickbot banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS where target security Microsoft Defender to prevent its detection and removal. steal Verizon credentials and targeting banks using its multi component modules that collect and exfiltrate data.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Account Discovery With Net App Domain Account, Account Discovery TTP
Attempt To Stop Security Service Disable or Modify Tools, Impair Defenses TTP
Cobalt Strike Named Pipes Process Injection TTP
Executable File Written in Administrative SMB Share Remote Services, SMB/Windows Admin Shares TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Mshta spawning Rundll32 OR Regsvr32 Process System Binary Proxy Execution, Mshta TTP
Office Application Spawn rundll32 process Phishing, Spearphishing Attachment TTP
Office Document Executing Macro Code Phishing, Spearphishing Attachment TTP
Office Product Spawn CMD Process Phishing, Spearphishing Attachment TTP
Office Product Spawning CertUtil Phishing, Spearphishing Attachment TTP
Powershell Remote Thread To Known Windows Process Process Injection TTP
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious Rundll32 StartW System Binary Proxy Execution, Rundll32 TTP
Trickbot Named Pipe Process Injection TTP
Wermgr Process Connecting To IP Check Web Services Gather Victim Network Information, IP Addresses TTP
Wermgr Process Create Executable File Obfuscated Files or Information TTP
Wermgr Process Spawned CMD Or Powershell Process Command and Scripting Interpreter TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5145 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1