Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-04-20
  • Author: Rod Soto, Teoderick Contreras, Splunk
  • ID: 16f93769-8342-44c0-9b1d-f131937cce8e

Narrative

trickbot banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS where target security Microsoft Defender to prevent its detection and removal. steal Verizon credentials and targeting banks using its multi component modules that collect and exfiltrate data.

Detections

Name Technique Type
Account Discovery With Net App Domain Account, Account Discovery TTP
Attempt To Stop Security Service Disable or Modify Tools, Impair Defenses TTP
Cobalt Strike Named Pipes Process Injection TTP
Mshta spawning Rundll32 OR Regsvr32 Process Signed Binary Proxy Execution, Mshta TTP
Office Application Spawn rundll32 process Phishing, Spearphishing Attachment TTP
Office Document Executing Macro Code Phishing, Spearphishing Attachment TTP
Office Product Spawn CMD Process Signed Binary Proxy Execution, Mshta TTP
Powershell Remote Thread To Known Windows Process Process Injection TTP
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job TTP
Suspicious Rundll32 StartW Signed Binary Proxy Execution, Rundll32 TTP
Trickbot Named Pipe Process Injection TTP
Wermgr Process Connecting To IP Check Web Services Gather Victim Network Information, IP Addresses TTP
Wermgr Process Create Executable File Obfuscated Files or Information TTP
Wermgr Process Spawned CMD Or Powershell Process Command and Scripting Interpreter TTP
Write Executable in SMB Share Remote Services, SMB/Windows Admin Shares TTP

Reference

source | version: 1