Skip to content

Latest commit

 

History

History
34 lines (27 loc) · 1.2 KB

MATCH-S00588.md

File metadata and controls

34 lines (27 loc) · 1.2 KB

Rules: Trickbot Malware Recon Activity

Description

Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detection attempts to identify that activity based off of commands rarely observed in an enterprise network.

Additional Details

Detail Value
Type Templated Match
Category Unknown/Other
Apply Risk to Entities device_hostname, user_username
Signal Name Trickbot Malware Recon Activity
Summary Expression Observed Trickbot Malware Recon activity on {{device_hostname}}
Score/Severity Static: 4
Enabled by Default True
Prototype False
Tags _mitreAttackTactic:TA0007, _mitreAttackTechnique:T1482

Vendors and Products

Fields Used

Origin Field
Normalized Schema baseImage
Normalized Schema commandLine
Normalized Schema device_hostname
Normalized Schema user_username