title: Trickbot Malware Recon Activity
id: 410ad193-a728-4107-bc79-4419789fcbf8
status: experimental
description: Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.
references:
    - https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
author: David Burkett
date: 12/28/2019
tags:
    - attack.t1482
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image:
            - '*\nltest.exe'
        CommandLine:
            - '/domain_trusts /all_trusts'
            - '/domain_trusts'
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Rare System Admin Activity
level: critical