{"description": "Enterprise techniques used by IcedID, ATT&CK software S0483 (v1.2)", "name": "IcedID (S0483)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[IcedID](https://attack.mitre.org/software/S0483) can query LDAP and can use built-in `net` commands to identify additional users on the network to infect.(Citation: IBM IcedID November 2017)(Citation: DFIR_Quantum_Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has used HTTPS in communications with C2.(Citation: Juniper IcedID June 2020)(Citation: DFIR_Quantum_Ransomware)(Citation: DFIR_Sodinokibi_Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has established persistence by creating a Registry run key.(Citation: IBM IcedID November 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1185", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials.  [IcedID](https://attack.mitre.org/software/S0483) can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has used obfuscated VBA string expressions.(Citation: Juniper IcedID June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1482", "comment": "[IcedID](https://attack.mitre.org/software/S0483) used [Nltest](https://attack.mitre.org/software/S0359) during initial discovery.(Citation: DFIR_Sodinokibi_Ransomware)(Citation: DFIR_Quantum_Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1189", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has cloned legitimate websites/applications to distribute the malware.(Citation: Trendmicro_IcedID)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has used SSL and TLS in communications with C2.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.002", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has exfiltrated collected data via HTTPS.(Citation: DFIR_Sodinokibi_Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has the ability to download additional modules and a configuration file from C2.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)(Citation: DFIR_Quantum_Ransomware)(Citation: Latrodectus APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has modified legitimate .dll files to include malicious code.(Citation: Trendmicro_IcedID)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has called ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, and NtResumeThread to inject itself into a remote process.(Citation: Juniper IcedID June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has used the `net view /all` command to show available shares.(Citation: DFIR_Quantum_Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has packed and encrypted its loader module.(Citation: Juniper IcedID June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.003", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has embedded binaries within RC4 encrypted .png files.(Citation: Juniper IcedID June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.009", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has embedded malicious functionality in a legitimate DLL file.(Citation: Trendmicro_IcedID)\n\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has utilzed encrypted binaries and base64 encoded strings.(Citation: Juniper IcedID June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has the ability to identify Workgroup membership.(Citation: IBM IcedID November 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has been delivered via phishing e-mails with malicious attachments.(Citation: Juniper IcedID June 2020)(Citation: DFIR_Sodinokibi_Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.004", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has used ZwQueueApcThread to inject itself into remote processes.(Citation: IBM IcedID November 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[IcedID](https://attack.mitre.org/software/S0483) can inject a [Cobalt Strike](https://attack.mitre.org/software/S0154) beacon into cmd.exe via process hallowing.(Citation: DFIR_Quantum_Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has created a scheduled task to establish persistence.(Citation: Juniper IcedID June 2020)(Citation: DFIR_Quantum_Ransomware)(Citation: DFIR_Sodinokibi_Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[IcedID](https://attack.mitre.org/software/S0483) can identify AV products on an infected host using the following command:\n` WMIC.exe WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get * /Format:List`.(Citation: DFIR_Sodinokibi_Ransomware)(Citation: DFIR_Quantum_Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "[IcedID](https://attack.mitre.org/software/S0483) can inject itself into a suspended msiexec.exe process to send beacons to C2 while appearing as a normal msi application. (Citation: Juniper IcedID June 2020) [IcedID](https://attack.mitre.org/software/S0483) has also used msiexec.exe to deploy the [IcedID](https://attack.mitre.org/software/S0483) loader.(Citation: Trendmicro_IcedID)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has used rundll32.exe to execute the [IcedID](https://attack.mitre.org/software/S0483) loader.(Citation: Trendmicro_IcedID)(Citation: DFIR_Quantum_Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has the ability to identify the computer name and OS version on a compromised host.(Citation: IBM IcedID November 2017)(Citation: DFIR_Quantum_Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[IcedID](https://attack.mitre.org/software/S0483) used the following command to check the country/language of the active console: \n` cmd.exe /c chcp >&2`.(Citation: DFIR_Quantum_Ransomware)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[IcedID](https://attack.mitre.org/software/S0483) used the `ipconfig /all` command and a batch script to gather network information.(Citation: DFIR_Quantum_Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has been executed through Word and Excel files with malicious embedded macros and through ISO and LNK files that execute the malicious DLL.(Citation: Juniper IcedID June 2020)(Citation: DFIR_Quantum_Ransomware)(Citation: DFIR_Sodinokibi_Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has manipulated Keitaro Traffic Direction System to filter researcher and sandbox traffic.(Citation: Trendmicro_IcedID)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[IcedID](https://attack.mitre.org/software/S0483) has used WMI to execute binaries.(Citation: Juniper IcedID June 2020)(Citation: DFIR_Sodinokibi_Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by IcedID", "color": "#66b1ff"}]}