During reconnaissance and target profiling, adversaries also use other PowerShell tools. More often than other ‘instruments’, researchers found the use of ‘letmein.ps1’ which is a Powershell stager for open-source exploitation framework Metasploit. After successful profiling, adversaries delete the “unnecessary” tools and deliver final payload.
Content to detect TrickBot malware available on Threat Detection Marketplace:
TrickBot behaviour (Privilege escalation attack) – https://tdm.socprime.com/tdm/info/hnFSkaXV5vHs/
Trickbot Malware (YARA Rules) – https://tdm.socprime.com/tdm/info/QNIEMQiE0ZwF/
TrickBot Malware Detector (Sysmon Behavior) – https://tdm.socprime.com/tdm/info/s06qUuUPHuOY/