THREAT ANALYSIS: From IcedID to Domain Compromise

MITRE Techniques

• [T1204] User Execution – The victim opens an archive and clicks an ISO file, which leads to an LNK file. ‘Victim opens an archive.’
• [T1059.003] Command and Scripting Interpreter: Batch – The batch file drops a DLL and uses rundll32.exe for execution. ‘The batch file calls xcopy.exe to copy and drop the DLL into the %TEMP% directory where it gets executed with rundll32.exe and a command line argument “#1”…’
• [T1218.011] Signed Binary Proxy Execution: Rundll32 – DLL loaded by Rundll32 to execute IcedID components. ‘Rundll32.exe loads the DLL, which creates network connections to IcedID-related domains, downloading the IcedID payload.’
• [T1047] Windows Management Instrumentation – Lateral movement via WMI with ‘process call create’ to run db.dll on remote hosts. ‘Wmic.exe with the “process call create” arguments to execute a remote file “db.dll” on the remote workstation.’
• [T1059.001] PowerShell – Use of a Base64 encoded PowerShell to download additional files. ‘PowerDEF.bat executes a Base64 encoded powershell that downloads additional files.’
• [T1082] System Information Discovery – OS/AD discovery commands, e.g., ‘systeminfo’ and net.exe usage to gather system data.
• [T1069.002] Domain Groups Discovery – Discovery of Domain Admins via ‘net group “Domain Admins” /domain’.
• [T1046] Network Service Scanning – Network discovery with Netscan.exe to locate hosts. ‘Netscan.exe used to locate additional hosts for lateral movement.’
• [T1558.003] Kerberoasting – Kerberoasting to pull service account hashes using Rubeus. ‘Kerberoasting (MITRE ATT&CK ID: T1558.003) to pull the hashes of service accounts on the domain.’
• [T1003.006] DCSync – Domain Controller Secrets via DCSync to obtain password hashes. ‘DCSync attacks (MITRE ATT&CK ID: T1003.006) allow an attacker to impersonate a domain controller and request password hashes.’
• [T1555.003] Credentials in Web Browsers – Browser hooking to steal credentials/cookies. ‘IcedID is known to attempt to hook into browsers such as Firefox or Chrome to attempt to steal credentials, cookies, and saved information.’
• [T1567.002] Exfiltration to Cloud Storage – Exfiltration via rclone to Mega. ‘renamed copies of the popular rclone file syncing software to encrypt and sync several directories to the Mega file sharing service.’
• [T1053.005] Scheduled Task – Persistence via scheduled tasks created by MSRPC to run xaeywn1.dll. ‘MSRPC call indicating the creation of a scheduled task … to execute xaeywn1.dll every hour and at each logon.’