Drop IcedID License dat
Description
This search is to detect dropping a suspicious file named as "license.dat" in %appdata%. This behavior seen in latest IcedID malware that contain the actual core bot that will be injected in other process to do banking stealing.
- Type: Hunting
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2021-07-30
- Author: Teoderick Contreras, Splunk
- ID: b7a045fc-f14a-11eb-8e79-acde48001122
ATT&CK
| ID | Technique | Tactic |
|---|---|---|
| T1204 | User Execution | Execution |
| T1204.002 | Malicious File | Execution |
Search
`sysmon` EventCode= 11 TargetFilename = "*\\license.dat" AND (TargetFilename="*\\appdata\\*" OR TargetFilename="*\\programdata\\*")
|stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name Computer
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_icedid_license_dat_filter`
Associated Analytic Story
How To Implement
To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
Required field
- _time
Kill Chain Phase
- Exploitation
Known False Positives
unknown
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 63.0 | 70 | 90 | process $SourceImage$ create a file $TargetImage$ in host $Computer$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1