IcedID Exfiltrated Archived File Creation

Original Source: [splunk source]
Name:IcedID Exfiltrated Archived File Creation
id:0db4da70-f14b-11eb-8043-acde48001122
version:3
date:2024-10-17
author:Teoderick Contreras, Splunk
status:production
type:Hunting
Description:The following analytic detects the creation of suspicious files named passff.tar and cookie.tar, which are indicative of archived stolen browser information such as history and cookies on a machine compromised with IcedID. It leverages Sysmon EventCode 11 to identify these specific filenames. This activity is significant because it suggests that sensitive browser data has been exfiltrated, which could lead to further exploitation or data breaches. If confirmed malicious, this could allow attackers to access personal information, conduct further phishing attacks, or escalate their presence within the network.
Data_source:
  • -Sysmon EventID 1
  • -Windows Event Log Security 4688
  • -CrowdStrike ProcessRollup2
search:`sysmon` EventCode= 11 (TargetFilename = "*\\passff.tar" OR TargetFilename = "*\\cookie.tar") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `icedid_exfiltrated_archived_file_creation_filter`

how_to_implement:To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
known_false_positives:unknown
References:
  -https://www.cisecurity.org/insights/white-papers/security-primer-icedid
 drilldown_searches:
  :
tags:
  analytic_story:
    - 'IcedID'
  asset_type:Endpoint
  confidence:90
  impact:80
  message:Process $process_name$ create a file $TargetFilename$ on host $dest$
  mitre_attack_id:
    - 'T1560.001'
    - 'T1560'
  observable:
    name:'dest'
    type:'Hostname'
    - role:
      - 'Victim'
    name:'process_name'
    type:'Process'
    - role:
      - 'Attacker'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'TargetFilename'
    - 'EventCode'
    - 'process_id'
    - 'process_name'
    - 'dest'
  risk_score:72
  security_domain:endpoint

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log
  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  sourcetype: XmlWinEventLog
manual_test:None

Related Analytic Stories


IcedID

© 2024 DetectionCode Website. All Rights Reserved.