Try in Splunk Security Cloud
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2021-07-29
- Author: Teoderick Contreras, Splunk
- ID: 1d2cc747-63d7-49a9-abb8-93aa36305603
Narrative
IcedId banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS targetting browser such as firefox and chrom to steal banking information. It is also known to its unique payload downloaded in C2 where it can be a .png file that hides the core shellcode bot using steganography technique or gzip dat file that contains “license.dat” which is the actual core icedid bot.
Detections
| Name |
Technique |
Type |
| Account Discovery With Net App |
Domain Account, Account Discovery |
TTP |
| Any Powershell DownloadString |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
TTP |
| CHCP Command Execution |
Command and Scripting Interpreter |
TTP |
| CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
| Create Remote Thread In Shell Application |
Process Injection |
TTP |
| Detect PsExec With accepteula Flag |
Remote Services, SMB/Windows Admin Shares |
TTP |
| Disable Defender AntiVirus Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Defender BlockAtFirstSeen Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Defender Enhanced Notification |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Defender MpEngine Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Defender Spynet Reporting |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Defender Submit Samples Consent Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Schedule Task |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disabling Defender Services |
Disable or Modify Tools, Impair Defenses |
TTP |
| Drop IcedID License dat |
User Execution, Malicious File |
Hunting |
| Eventvwr UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| Executable File Written in Administrative SMB Share |
Remote Services, SMB/Windows Admin Shares |
TTP |
| Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
| FodHelper UAC Bypass |
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| IcedID Exfiltrated Archived File Creation |
Archive via Utility, Archive Collected Data |
Hunting |
| Mshta spawning Rundll32 OR Regsvr32 Process |
System Binary Proxy Execution, Mshta |
TTP |
| NLTest Domain Trust Discovery |
Domain Trust Discovery |
TTP |
| Net Localgroup Discovery |
Permission Groups Discovery, Local Groups |
Hunting |
| Network Connection Discovery With Arp |
System Network Connections Discovery |
Hunting |
| Network Share Discovery Via Dir Command |
Network Share Discovery |
Hunting |
| Office Application Spawn Regsvr32 process |
Phishing, Spearphishing Attachment |
TTP |
| Office Application Spawn rundll32 process |
Phishing, Spearphishing Attachment |
TTP |
| Office Document Executing Macro Code |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Spawning MSHTA |
Phishing, Spearphishing Attachment |
TTP |
| Powershell Fileless Script Contains Base64 Encoded Content |
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell |
TTP |
| Powershell Processing Stream Of Data |
Command and Scripting Interpreter, PowerShell |
TTP |
| Powershell Using memory As Backing Store |
PowerShell, Command and Scripting Interpreter |
TTP |
| Process Creating LNK file in Suspicious Location |
Phishing, Spearphishing Link |
TTP |
| Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
| Regsvr32 with Known Silent Switch Cmdline |
System Binary Proxy Execution, Regsvr32 |
Anomaly |
| Remote System Discovery with Net |
Remote System Discovery |
Hunting |
| Remote WMI Command Attempt |
Windows Management Instrumentation |
TTP |
| RunDLL Loading DLL By Ordinal |
System Binary Proxy Execution, Rundll32 |
TTP |
| Rundll32 Create Remote Thread To A Process |
Process Injection |
TTP |
| Rundll32 CreateRemoteThread In Browser |
Process Injection |
TTP |
| Rundll32 DNSQuery |
System Binary Proxy Execution, Rundll32 |
TTP |
| Rundll32 Process Creating Exe Dll Files |
System Binary Proxy Execution, Rundll32 |
TTP |
| Schedule Task with Rundll32 Command Trigger |
Scheduled Task/Job |
TTP |
| Sqlite Module In Temp Folder |
Data from Local System |
TTP |
| Suspicious Copy on System32 |
Rename System Utilities, Masquerading |
TTP |
| Suspicious IcedID Rundll32 Cmdline |
System Binary Proxy Execution, Rundll32 |
TTP |
| Suspicious Process File Path |
Create or Modify System Process |
TTP |
| Suspicious Rundll32 PluginInit |
System Binary Proxy Execution, Rundll32 |
TTP |
| Suspicious Rundll32 dllregisterserver |
System Binary Proxy Execution, Rundll32 |
TTP |
| WinEvent Scheduled Task Created Within Public Path |
Scheduled Task, Scheduled Task/Job |
TTP |
| WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
Hunting |
| Windows AdFind Exe |
Remote System Discovery |
TTP |
| Windows Curl Download to Suspicious Path |
Ingress Tool Transfer |
TTP |
| Windows ISO LNK File Creation |
Spearphishing Attachment, Phishing, Malicious Link, User Execution |
Hunting |
| Windows Phishing Recent ISO Exec Registry |
Spearphishing Attachment, Phishing |
Hunting |
| Windows WMI Process Call Create |
Windows Management Instrumentation |
Hunting |
| Wmic NonInteractive App Uninstallation |
Disable or Modify Tools, Impair Defenses |
Hunting |
Reference
source | version: 1