Try in Splunk Security Cloud
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2021-04-20
- Author: Rod Soto, Teoderick Contreras, Splunk
- ID: 16f93769-8342-44c0-9b1d-f131937cce8e
Narrative
trickbot banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS where target security Microsoft Defender to prevent its detection and removal. steal Verizon credentials and targeting banks using its multi component modules that collect and exfiltrate data.
Detections
Name |
Technique |
Type |
Account Discovery With Net App |
Domain Account, Account Discovery |
TTP |
Attempt To Stop Security Service |
Disable or Modify Tools, Impair Defenses |
TTP |
Cobalt Strike Named Pipes |
Process Injection |
TTP |
Executable File Written in Administrative SMB Share |
Remote Services, SMB/Windows Admin Shares |
TTP |
Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
Mshta spawning Rundll32 OR Regsvr32 Process |
System Binary Proxy Execution, Mshta |
TTP |
Office Application Spawn rundll32 process |
Phishing, Spearphishing Attachment |
TTP |
Office Document Executing Macro Code |
Phishing, Spearphishing Attachment |
TTP |
Office Product Spawn CMD Process |
Phishing, Spearphishing Attachment |
TTP |
Office Product Spawning CertUtil |
Phishing, Spearphishing Attachment |
TTP |
Powershell Remote Thread To Known Windows Process |
Process Injection |
TTP |
Schedule Task with Rundll32 Command Trigger |
Scheduled Task/Job |
TTP |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
Suspicious Process File Path |
Create or Modify System Process |
TTP |
Suspicious Rundll32 StartW |
System Binary Proxy Execution, Rundll32 |
TTP |
Trickbot Named Pipe |
Process Injection |
TTP |
Wermgr Process Connecting To IP Check Web Services |
Gather Victim Network Information, IP Addresses |
TTP |
Wermgr Process Create Executable File |
Obfuscated Files or Information |
TTP |
Wermgr Process Spawned CMD Or Powershell Process |
Command and Scripting Interpreter |
TTP |
Reference
source | version: 1