Detecting IcedID attacks
IcedID is a banking trojan campaign. This malware is seen in Windows environments where it initially uses MS Office as a weapon or attack vector to infect machines, and then targets browsers such as Firefox and Chrome to steal online banking information. It is known for its unique payload downloaded in C2, where its .png file hides the core shellcode bot using stenography techniques or gzip dat files that contain "license.dat" - the actual core IcedID bot.
Required data
How to use Splunk software for this use case
- Account discovery with Net App
- Any Powershell DownloadString
- CHCP command execution
- CMD carry out string command parameter
- Create remote thread in shell application
- Detect PsExec with accepteula flag
- Disable Defender AntiVirus registry
- Disable Defender BlockAtFirstSeen feature
- Disable Defender enhanced notification
- Disable Defender MpEngine registry
- Disable Defender Spynet reporting
- Disable Defender submit samples consent feature
- Disable schedule task
- Disabling Defender services
- Drop IcedID license dat
- Eventvwr UAC bypass
- Executable file written in administrative SMB share
- Executables or script creation in suspicious path
- FodHelper UAC bypass
- IcedID exfiltrated archived file creation
- Mshta spawning Rundll32 or Regsvr32 process
- NLTest Domain Trust discovery
- Net Localgroup discovery
- Network connection discovery with Arp
- Network share discovery via Dir command
- Office application spawn regsvr32 process
- Office application spawn rundll32 process
- Office document executing macro code
- Office product spawning MSHTA
- Powershell fileless script contains Base64 encoded content
- Powershell processing stream of data
- Powershell using memory as backing store
- Process creating LNK file in suspicious location
- Registry keys used for persistence
- Regsvr32 with known silent switch Cmdline
- Remote system discovery with Net
- Remote WMI command attempt
- RunDLL loading DLL by ordinal
- Rundll32 create remote thread to a process
- Rundll32 create remote thread in browser
- Rundll32 DNSQuery
- Rundll32 process creating exe Dll files
- Schedule task with Rundll32 command trigger
- Sqlite module in temp folder
- Suspicious copy on System32
- Suspicious IcedID Rundll32 Cmdline
- Suspicious process file path
- Suspicious Rundll32 PluginInit
- Suspicious Rundll32 dllregisterserver
- WinEvent scheduled task created within public path
- WinEvent Windows Task Scheduler event action started
- Windows AdFind exe
- Windows Curl download to suspicious path
- Windows ISO LNK file creation
- Windows phishing recent ISO exec registry
- Windows WMI process call create
- Wmic NonInteractive app uninstallation
Next steps
In addition, these Splunk resources might help you understand and implement this use case:
- Blog: Threat Hunting with Splunk: Hands-on Tutorials for the Active Hunter
- If you are a Splunk Enterprise Security customer, you can also get help from the Security Research team's support options on GitHub.