{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/actors/icedid/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["IcedID"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","registry-modification","windows-defender"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers, particularly those associated with IcedID campaigns, may attempt to disable Windows Defender to evade detection. This involves modifying the \u003ccode\u003eMpEnablePus\u003c/code\u003e registry value within the Windows Defender MpEngine settings, specifically setting it to \u003ccode\u003e0x00000000\u003c/code\u003e. This action effectively disables key features of Windows Defender, creating a window of opportunity for malware to execute undetected. The observed registry modification is a strong indicator of malicious intent, allowing attackers to gain a foothold and further compromise the system. The DFIR Report has documented instances of this technique being used in conjunction with IcedID leading to XingLocker ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an unknown method (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains elevated privileges on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry value \u003ccode\u003eMpEnablePus\u003c/code\u003e to \u003ccode\u003e0x00000000\u003c/code\u003e under the path \u003ccode\u003eHKLM\\Software\\Policies\\Microsoft\\Windows Defender\\MpEngine\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis registry change disables key Windows Defender features, weakening the endpoint\u0026rsquo;s defenses.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys malware, such as IcedID, which can now operate with reduced interference from the disabled security product.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence through various mechanisms (e.g., scheduled tasks, registry run keys).\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance to identify valuable data and systems within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems, potentially deploying ransomware such as XingLocker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of Windows Defender can lead to widespread malware infection and data compromise. Organizations may experience data breaches, financial losses, and reputational damage. The IcedID malware has been linked to XingLocker ransomware deployment, demonstrating the potential for significant impact following a successful attack. Disabling Windows Defender increases the dwell time of attackers and the likelihood of successful lateral movement and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon EventID 13 to capture registry modifications on endpoints.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Defender MpEngine Disabled via Registry Modification\u0026rdquo; to identify suspicious registry changes related to Windows Defender.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, prioritizing systems where other suspicious activities have been observed.\u003c/li\u003e\n\u003cli\u003eEnsure Sysmon TA version 2.0 or higher is installed for accurate registry monitoring.\u003c/li\u003e\n\u003cli\u003eReview and harden Windows Defender configuration policies to prevent unauthorized modifications of critical settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-disable-defender-mpengine/","summary":"An attacker modifies the Windows Defender MpEngine registry value to disable key features, potentially allowing malware to evade detection.","title":"Windows Defender MpEngine Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-defender-mpengine/"},{"_cs_actors":["IcedID"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","application-uninstall","wmic"],"_cs_type":"threat","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis detection focuses on the abuse of Windows Management Instrumentation Command-line (WMIC) to uninstall applications in a non-interactive manner. This technique is often employed by threat actors, including IcedID, to disable or remove security software, such as antivirus solutions, in order to evade detection and establish a stronger foothold within a compromised environment. This activity is often seen post-compromise, after initial access has been established, and is used to further the attacker\u0026rsquo;s objectives. The use of the \u003ccode\u003e/nointeractive\u003c/code\u003e flag is a key indicator of this malicious activity. This behavior is significant because it allows attackers to disable security defenses, facilitating further compromise and persistence within the environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through a phishing campaign or other exploit.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious payload on the victim machine.\u003c/li\u003e\n\u003cli\u003eThe payload establishes persistence and elevates privileges.\u003c/li\u003e\n\u003cli\u003eWMIC is invoked via \u003ccode\u003ewmic.exe\u003c/code\u003e with parameters to enumerate installed products.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eproduct\u003c/code\u003e argument with a \u003ccode\u003ewhere name\u003c/code\u003e clause to identify target applications.\u003c/li\u003e\n\u003cli\u003eWMIC is then used with the \u003ccode\u003ecall uninstall\u003c/code\u003e command to remove the target application.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e/nointeractive\u003c/code\u003e flag is used to suppress prompts and execute the uninstall silently.\u003c/li\u003e\n\u003cli\u003eSecurity software is disabled, allowing for further malicious activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack results in the removal of security software, such as antivirus or endpoint detection and response (EDR) agents, which significantly reduces the victim\u0026rsquo;s ability to detect and respond to the compromise. As seen in the IcedID campaign, this can lead to rapid escalation, such as ransomware deployment within 24 hours. This can affect any Windows environment where WMIC is accessible, potentially impacting organizations of any size.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious WMIC Product Uninstall via CommandLine\u003c/code\u003e to detect non-interactive uninstallation attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate any process that spawns \u003ccode\u003ewmic.exe\u003c/code\u003e with arguments containing \u003ccode\u003eproduct\u003c/code\u003e, \u003ccode\u003ewhere name\u003c/code\u003e, \u003ccode\u003ecall uninstall\u003c/code\u003e, and \u003ccode\u003e/nointeractive\u003c/code\u003e, as highlighted in the rule description.\u003c/li\u003e\n\u003cli\u003eEnsure endpoint detection and response (EDR) agents are configured to log process command-line arguments, which is required for the detection to function correctly.\u003c/li\u003e\n\u003cli\u003eReview and harden endpoint security policies to restrict the use of WMIC where possible.\u003c/li\u003e\n\u003cli\u003eMonitor parent processes of \u003ccode\u003ewmic.exe\u003c/code\u003e to identify potential malicious origins.\u003c/li\u003e\n\u003cli\u003eWhitelist legitimate uses of \u003ccode\u003ewmic.exe\u003c/code\u003e for application uninstallation, based on parent process and command line, to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wmic-uninstallation/","summary":"This analytic identifies the use of the WMIC command-line tool to uninstall applications non-interactively, a technique used to evade detection by removing security software, as observed in IcedID campaigns.","title":"Suspicious WMIC Application Uninstallation","url":"https://feed.craftedsignal.io/briefs/2024-01-wmic-uninstallation/"},{"_cs_actors":["IcedID"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["persistence","defense_evasion","windows"],"_cs_type":"threat","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eAttackers, including malware such as IcedID, frequently disable scheduled tasks as a means of evading detection and maintaining persistence. This technique involves using the \u003ccode\u003eschtasks.exe\u003c/code\u003e utility with the \u003ccode\u003e/change\u003c/code\u003e and \u003ccode\u003e/disable\u003c/code\u003e parameters. By disabling scheduled tasks, adversaries can disrupt security applications, prevent routine system maintenance, and prolong their access to compromised systems. This activity allows attackers to operate undetected, disable critical security defenses, and further compromise the targeted host. The initial report surfaced on October 18, 2021, highlighting the use of this technique in conjunction with the IcedID malware leading to XingLocker ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of the host via an unspecified method (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access and executes code on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies scheduled tasks to disable, often targeting security applications or system maintenance tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eschtasks.exe\u003c/code\u003e with the \u003ccode\u003e/change\u003c/code\u003e parameter to modify the task configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003e/disable\u003c/code\u003e parameter with \u003ccode\u003eschtasks.exe\u003c/code\u003e to deactivate the targeted scheduled task. For example: \u003ccode\u003eschtasks /change /tn \u0026quot;Security Scan\u0026quot; /disable\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe disabled task no longer runs, allowing the attacker to bypass its functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence and evades detection by preventing security scans and updates.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with further malicious activities, such as data theft or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of scheduled tasks can lead to the compromise of critical security defenses. The IcedID malware, for example, has been observed using this technique as a precursor to XingLocker ransomware deployment. This can affect any organization relying on scheduled tasks for security and system maintenance, leading to potential data breaches, system instability, and financial losses. The number of victims can vary depending on the scope of the initial compromise and the effectiveness of the attacker\u0026rsquo;s lateral movement.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Schtasks Disable\u003c/code\u003e to your SIEM and tune for your environment to detect schtasks.exe being used to disable tasks.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) and Windows Event Log Security (4688) to activate the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, prioritizing systems known to host critical applications or data.\u003c/li\u003e\n\u003cli\u003eReview scheduled task configurations for unexpected changes or disabled tasks.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions that provide visibility into process execution and command-line arguments.\u003c/li\u003e\n\u003cli\u003eEnsure that all systems have up-to-date security patches and antivirus definitions to prevent initial compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-disable-scheduled-task/","summary":"Detection of the use of schtasks.exe to disable scheduled tasks, a common tactic used by adversaries like IcedID to disable security applications and evade detection, potentially leading to persistence and further system compromise.","title":"Scheduled Task Disablement via Schtasks.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-scheduled-task/"}],"language":"en","title":"CraftedSignal Threat Feed — IcedID","version":"https://jsonfeed.org/version/1.1"}