Analytics Story: Trickbot

Updated Date: 2026-05-13 ID: 16f93769-8342-44c0-9b1d-f131937cce8e Author: Rod Soto, Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.

Why it matters

trickbot banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS where target security Microsoft Defender to prevent its detection and removal. steal Verizon credentials and targeting banks using its multi component modules that collect and exfiltrate data.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Windows Office Product Spawned Uncommon Process	Spearphishing Attachment	TTP
Schedule Task with Rundll32 Command Trigger	Scheduled Task/Job	TTP
Executables Or Script Creation In Temp Path	Masquerading	Anomaly
Windows Suspicious Named Pipe	SMB/Windows Admin Shares, Process Injection, Inter-Process Communication	TTP
Windows Suspicious Process File Path	Match Legitimate Resource Name or Location, Create or Modify System Process	TTP
Wermgr Process Connecting To IP Check Web Services	IP Addresses	TTP
Windows Suspicious C2 Named Pipe	SMB/Windows Admin Shares, Process Injection, Inter-Process Communication	TTP
Wermgr Process Create Executable File	Obfuscated Files or Information	TTP
Windows Attempt To Stop Security Service	Disable or Modify Tools	TTP
Mshta spawning Rundll32 OR Regsvr32 Process	Mshta	TTP
Windows Process Execution in Temp Dir	Match Legitimate Resource Name or Location, Create or Modify System Process	Anomaly
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Wermgr Process Spawned CMD Or Powershell Process	Command and Scripting Interpreter	TTP
Suspicious Rundll32 StartW	Rundll32	TTP
Powershell Remote Thread To Known Windows Process	Process Injection	TTP
Executable File Written in Administrative SMB Share	SMB/Windows Admin Shares	TTP
Windows Office Product Loading VBE7 DLL	Spearphishing Attachment	Anomaly
Scheduled Task Deleted Or Created via CMD	Scheduled Task	Anomaly
Trickbot Named Pipe	Process Injection	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log Security 4698	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 18	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 17	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 22	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 8	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 5145	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 7	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`

References

Source: GitHub | Version: 2