{"description": "Enterprise techniques used by IceApple, ATT&CK software S1022 (v1.1)", "name": "IceApple (S1022)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "The [IceApple](https://attack.mitre.org/software/S1022) Active Directory Querier module  can perform authenticated requests against an Active Directory server.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[IceApple](https://attack.mitre.org/software/S1022) can use HTTP GET to request and pull information from C2.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[IceApple](https://attack.mitre.org/software/S1022) can encrypt and compress files using Gzip prior to exfiltration.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[IceApple](https://attack.mitre.org/software/S1022) can collect files, passwords, and other data from a compromised host.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[IceApple](https://attack.mitre.org/software/S1022) can use a Base64-encoded AES key to decrypt tasking.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "The [IceApple](https://attack.mitre.org/software/S1022) Result Retriever module can AES encrypt C2 responses.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[IceApple](https://attack.mitre.org/software/S1022)'s Multi File Exfiltrator module can exfiltrate multiple files from a compromised host as an HTTP response over C2.(Citation: CrowdStrike IceApple May 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "The [IceApple](https://attack.mitre.org/software/S1022) Directory Lister module can list information about files and directories including creation time, last write time, name, and size.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[IceApple](https://attack.mitre.org/software/S1022) can delete files and directories from targeted systems.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.003", "comment": "The [IceApple](https://attack.mitre.org/software/S1022) OWA credential logger can monitor for OWA authentication requests and log the credentials.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[IceApple](https://attack.mitre.org/software/S1022) .NET assemblies have used `App_Web_` in their file names to appear legitimate.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[IceApple](https://attack.mitre.org/software/S1022) can use Base64 and \"junk\" JavaScript code to obfuscate information.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "[IceApple](https://attack.mitre.org/software/S1022)'s Credential Dumper module can dump encrypted password hashes from SAM registry keys, including `HKLM\\SAM\\SAM\\Domains\\Account\\F` and `HKLM\\SAM\\SAM\\Domains\\Account\\Users\\*\\V`.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.004", "comment": "[IceApple](https://attack.mitre.org/software/S1022)'s Credential Dumper module can dump LSA secrets from registry keys, including: `HKLM\\SECURITY\\Policy\\PolEKList\\default`, `HKLM\\SECURITY\\Policy\\Secrets\\*\\CurrVal`, and `HKLM\\SECURITY\\Policy\\Secrets\\*\\OldVal`.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1620", "comment": "[IceApple](https://attack.mitre.org/software/S1022) can use reflective code loading to load .NET assemblies into `MSExchangeOWAAppPool` on targeted Exchange servers.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.004", "comment": "[IceApple](https://attack.mitre.org/software/S1022) is an IIS post-exploitation framework, consisting of 18 modules that provide several functionalities.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "The [IceApple](https://attack.mitre.org/software/S1022) Server Variable Dumper module iterates over all server variables present for the current request and returns them to the adversary.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "The [IceApple](https://attack.mitre.org/software/S1022) [ifconfig](https://attack.mitre.org/software/S0101) module can iterate over all network interfaces on the host and retrieve the name, description, MAC address, DNS suffix, DNS servers, gateways, IPv4 addresses, and subnet masks.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.002", "comment": "[IceApple](https://attack.mitre.org/software/S1022) can harvest credentials from local and remote host registries.(Citation: CrowdStrike IceApple May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by IceApple", "color": "#66b1ff"}]}