{
	"id": "92748f09-2348-441d-948e-9335f789e348",
	"created_at": "2026-04-06T00:14:07.186701Z",
	"updated_at": "2026-04-10T03:24:30.286605Z",
	"deleted_at": null,
	"sha1_hash": "1da90f915fee960d95de660a78633933ae7c10e9",
	"title": "Splunking with Sysmon Part 4: Detecting Trickbot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 90759,
	"plain_text": "Splunking with Sysmon Part 4: Detecting Trickbot\r\nBy Hurricane Labs\r\nPublished: 2020-11-12 · Archived: 2026-04-05 15:56:34 UTC\r\nTrickbot and Ryuk\r\nWith the recent outbreak of Ryuk in hospitals, detecting the precursors to the ransomware has become a more\r\nvisible priority. Ryuk has a history of being deployed after an enterprise has been compromised by Trickbot. The\r\nproblems with detecting Ryuk is that once it is detected, it is often too late to save anything. The key is to detect\r\nTrickbot or any other malware attackers use before your data starts being encrypted.\r\nThis Splunk tutorial will cover the methodology I used to develop and test the detections as well as how to\r\nimplement and tune them. Also, in case you missed the previous parts of my Splunking with Sysmon tutorial\r\nseries, make sure to check out parts 1, 2, and 3 too! \r\nTrickbot Hunting\r\nFinding Trickbot samples is not hard to do; there are many sources and samples available. I tested 7 different .exe\r\nsamples that all had been submitted within 3 days of my testing. I ran each sample on my home lab with access to\r\nthe internet enabled and Sysinternal Process Monitor (procmon) running to monitor what the executable was\r\ndoing. I segregated my home lab from my personal network to reduce the risk of any malware spreading; please\r\nbe safe if you want to recreate my testing.\r\nTo determine how I’d approach a detection, I divided the analysis of the Trickbot samples that I tested into two\r\ndifferent categories. The first category included the samples that fully executed and established a persistence\r\nmechanism. The second category’s samples were more evasive, but they did not establish any form of persistence.\r\nPersistent Trickbot\r\nThe Trickbot samples I analyzed that established persistence had a few different ways that they executed, but they\r\nalways used Registry Run Keys to establish a persistent hold on the infected system. The simplest sample wrote a\r\nfile to the users Local Appdata folder and created a run registry key to execute that file on boot. It also did a time\r\nstomp to change the file creation time on the executable.\r\nhttps://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/\r\nPage 1 of 8\n\nThe keys I took away from the procmon evaluation was that the initial process creates a file, possibly\r\ntimestomped, sets a registry run key on it, and works from the child process–not the initial execution. These keys\r\ncan be seen when tracking the process in Splunk logs as well.\r\nhttps://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/\r\nPage 2 of 8\n\nEvasive Trickbot\r\nIt was much harder to detect what the evasive trickbot was doing. The process would start, and then each one\r\nquickly moved into wermgr.exe and wrote to a file while making outbound connections. The wermgr.exe process\r\nnever created any child processes or moved into another process; it would create an outward network connection\r\nevery 5 or so minutes, but appeared to be waiting for more instructions.\r\nDetecting Initial Execution\r\nDetecting the Initial Execution of Trickbot was more reliable than the persistence, but it also required a little more\r\nwork. All of the Trickbot samples I tested had an OriginalFilename in the PE Header that did not match the file\r\nthat was executed. Since these processes are created from executables in the User folders, I started looking at\r\nProcess Creation events where the file_name did not match the OriginalFilename, which fits the Mitre Technique\r\nhttps://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/\r\nPage 3 of 8\n\nT1036 (Masquerading). Evaluating those files does result in a decent number of False Positives, but with a little\r\nbit of time to exclude them via a lookup, you can detect the programs that should not be running in your\r\nenvironment. This can be somewhat noisy, but it also detected every sample I encountered.\r\nCopy to Clipboard\r\nsource=xmlwineventlog:microsoft-windows-sysmon/operational EventCode=1 process_path=\"C:\\\\Users\\\\*\"\r\n NOT (OriginalFileName=\"-\" OR OriginalFileName=\"?\" OR [|inputlookup renamed_tools.csv])\r\n| where process_name!=OriginalFileName\r\nhttps://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/\r\nPage 4 of 8\n\n| table OriginalFileName, process_name, process_path, CommandLine, Hashes, Computer _time\r\nTuning the renamed_tools.csv lookup is most easily done by running the search, deduped by OriginalFileName\r\nand process_name, over a week to add all processes to the lookup table. After that take some time to go through\r\nthe lookup and ensure that all entries are expected and clean. If you are unsure you can run the hash through a\r\nOSINT tool to determine more information about the process. Then remove all columns from the lookup table but\r\nthe fields you intend to exclude by.\r\nDetecting Persistence\r\nOnly 3 of the 7 samples I tested were able to establish persistence on my lab machine. Each one that did, did so\r\nvia the same method. They added a Registry run key, Mitre Technique T1547.001 (Boot or Logon Autostart\r\nExecution: Registry Run Keys / Startup Folder), which would cause the executable to run when the user logs on to\r\nthe machine. This detection is similar to the initial execution detection, where it looks for Processes that originate\r\nfrom the User folder that modifies Registry Run Keys. This also needs a little tuning to reduce the number of\r\nFalse Positives, but not as much as above.\r\nhttps://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/\r\nPage 5 of 8\n\nCopy to Clipboard\r\nsource=\"xmlwineventlog:microsoft-windows-sysmon/operational\" EventCode=13\r\nTargetObject=\"*SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\"\r\nNOT ([| inputlookup registry_run.csv])\r\n| table RuleName, Image, TargetObject, Details, Computer, _time\r\nhttps://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/\r\nPage 6 of 8\n\nTuning the registry_run.csv lookup is similar to the renamed_tools lookup. Deduping will not work as well, and\r\nyou may need to add wildcards to the lookup table as the TargetObject will contain the user SID and Details and\r\nImage may contain the user name. You could also add the process_name field to the lookup and dedup via it, but\r\nthere will be more risk to commonly named processes. Make sure to remove all columns except Image and\r\nTargetObject (and possibly Details if you intend to exclude by it) from the lookup table when tuning is finished.\r\nConclusion\r\nThis was honestly a lot of fun and interesting to watch the execution of a variety of Trickbot samples and see how\r\nthey initially run. While there is a little work needed to get the detections to an alertable state, it is well worth it if\r\nyou can catch Trickbot or other malicious processes before they have a chance to cause more damage.\r\nAbout Hurricane Labs\r\nHurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for\r\ndiverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity\r\nand collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.\r\nFor more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.\r\nhttps://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/\r\nPage 7 of 8\n\nSource: https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/\r\nhttps://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/"
	],
	"report_names": [
		"splunking-with-sysmon-part-4-detecting-trickbot"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434447,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1da90f915fee960d95de660a78633933ae7c10e9.pdf",
		"text": "https://archive.orkl.eu/1da90f915fee960d95de660a78633933ae7c10e9.txt",
		"img": "https://archive.orkl.eu/1da90f915fee960d95de660a78633933ae7c10e9.jpg"
	}
}