Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .002 | Account Discovery: Domain Account |
IcedID can query LDAP to identify additional users on the network to infect.[1] |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
IcedID has established persistence by creating a Registry run key.[1] |
Enterprise | T1185 | Browser Session Hijacking |
IcedID has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. IcedID can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser.[1][2] |
|
Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic | |
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
IcedID has used SSL and TLS in communications with C2.[1][2] |
Enterprise | T1105 | Ingress Tool Transfer |
IcedID has the ability to download additional modules and a configuration file from C2.[1][2] |
|
Enterprise | T1106 | Native API |
IcedID has called |
|
Enterprise | T1027 | Obfuscated Files or Information |
IcedID has utilzed encrypted binaries and base64 encoded strings.[2] |
|
.002 | Software Packing | |||
.003 | Steganography |
IcedID has embedded binaries within RC4 encrypted .png files.[2] |
||
Enterprise | T1069 | Permission Groups Discovery | ||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
IcedID has been delivered via phishing e-mails with malicious attachments.[2] |
Enterprise | T1055 | .004 | Process Injection: Asynchronous Procedure Call |
IcedID has used |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
IcedID has created a scheduled task that executes every hour to establish persistence.[2] |
Enterprise | T1218 | .007 | Signed Binary Proxy Execution: Msiexec |
IcedID can inject itself into a suspended msiexec.exe process to send beacons to C2 while appearing as a normal msi application. [2] |
Enterprise | T1082 | System Information Discovery |
IcedID has the ability to identify the computer name and OS version on a compromised host.[1] |
|
Enterprise | T1204 | .002 | User Execution: Malicious File |
IcedID has been executed through Word documents with malicious embedded macros.[2] |
Enterprise | T1047 | Windows Management Instrumentation |
ID | Name | References |
---|---|---|
G0127 | TA551 |