35 lines
1.1 KiB
YAML
35 lines
1.1 KiB
YAML
title: Trickbot Malware Recon Activity
|
|
author: David Burkett, Florian Roth
|
|
date: 2019/12/28
|
|
description: Trickbot enumerates domain/network topology and executes certain commands
|
|
automatically every few minutes. This detectors attempts to identify that activity
|
|
based off a command rarely observed in an enterprise network.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
ParentImage: '*\cmd.exe'
|
|
SELECTION_3:
|
|
Image: '*\nltest.exe'
|
|
SELECTION_4:
|
|
CommandLine: '*/domain_trusts /all_trusts*'
|
|
condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3) and (SELECTION_4))
|
|
falsepositives:
|
|
- Rare System Admin Activity
|
|
id: 410ad193-a728-4107-bc79-4419789fcbf8
|
|
level: critical
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
modified: 2020/11/26
|
|
references:
|
|
- https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
|
|
- https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
|
|
status: experimental
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1482
|
|
yml_filename: win_malware_trickbot_recon_activity.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
|
|
|