Drop IcedID License dat
Description
This search is to detect dropping a suspicious file named as “license.dat” in %appdata%. This behavior seen in latest IcedID malware that contain the actual core bot that will be injected in other process to do banking stealing.
- Type: Hunting
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2021-07-30
- Author: Teoderick Contreras, Splunk
- ID: b7a045fc-f14a-11eb-8e79-acde48001122
Annotations
Kill Chain Phase
- Exploitation
NIST
CIS20
CVE
Search
1
2
3
4
5
`sysmon` EventCode= 11 TargetFilename = "*\\license.dat" AND (TargetFilename="*\\appdata\\*" OR TargetFilename="*\\programdata\\*")
|stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name Computer
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_icedid_license_dat_filter`
Macros
The SPL above uses the following Macros:
Note that drop_icedid_license_dat_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required field
- _time
How To Implement
To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
Known False Positives
unknown
Associated Analytic story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 63.0 | 70 | 90 | process $SourceImage$ create a file $TargetImage$ in host $Computer$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1