Blu3_Team

https://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html Vitali and others have noted that trickbot is running reconn commands. I finally saw them in action and these happen to be children of svchost so I did a quick sig and it looks pretty reliable and quiet. Nothing fancy, just looking for cmd.exe as a child of svchost.exe with common reconn command lines. index=edr svchost.exe process_path=*\\cmd.exe parent_path=*\\svchost.exe  (ipconfig OR "net view" OR "net config" OR nltest OR whoami OR hostname OR tasklist ) | stats values(command_line) count by computer_name process_path Using stats to group the command lines for visibility Previously I had done something more complex based on the JPCERT analysis to detect reconn more generally. https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html @Cyb3rops did this in a very similar manner way before I did. https://github.com/Neo23x0/sigma/blob/master/rules/windo...