Name:Trickbot Named Pipe id:1804b0a4-a682-11eb-8f68-acde48001122 version:3 date:2024-09-30 author:Teoderick Contreras, Splunk status:production type:TTP Description:The following analytic detects the creation or connection to a named pipe associated with Trickbot malware. It leverages Sysmon EventCodes 17 and 18 to identify named pipes with the pattern "\\pipe\\*lacesomepipe". This activity is significant as Trickbot uses named pipes for communication with its command and control (C2) servers, facilitating data exfiltration and command execution. If confirmed malicious, this behavior could allow attackers to maintain persistence, execute arbitrary commands, and exfiltrate sensitive information from the compromised system. Data_source:
-Sysmon EventID 17
-Sysmon EventID 18
search:`sysmon` EventCode IN (17,18) PipeName="\\pipe\\*lacesomepipe" | stats min(_time) as firstTime max(_time) as lastTime count by dest user_id EventCode PipeName signature Image process_id | rename Image as process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `trickbot_named_pipe_filter`
how_to_implement:To successfully implement this search, you need to be ingesting logs with the process name and pipename from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. . known_false_positives:unknown References: -https://labs.vipre.com/trickbot-and-its-modules/ -https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/ drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Trickbot' asset_type:Endpoint confidence:60 impact:70 message:Possible Trickbot namedpipe created on $dest$ by $process_name$ mitre_attack_id: - 'T1055' observable: name:'dest' type:'Endpoint' - role: - 'Victim' name:'process_name' type:'Process' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'dest' - 'user_id' - 'EventCode' - 'PipeName' - 'signature' - 'Image' - 'process_id' risk_score:42 security_domain:endpoint
