| enterprise |
T1087 |
Account Discovery |
- |
| enterprise |
T1087.002 |
Domain Account |
The IceApple Active Directory Querier module can perform authenticated requests against an Active Directory server. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
IceApple can use HTTP GET to request and pull information from C2. |
| enterprise |
T1560 |
Archive Collected Data |
- |
| enterprise |
T1560.001 |
Archive via Utility |
IceApple can encrypt and compress files using Gzip prior to exfiltration. |
| enterprise |
T1005 |
Data from Local System |
IceApple can collect files, passwords, and other data from a compromised host. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
IceApple can use a Base64-encoded AES key to decrypt tasking. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
The IceApple Result Retriever module can AES encrypt C2 responses. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
IceApple‘s Multi File Exfiltrator module can exfiltrate multiple files from a compromised host as an HTTP response over C2. |
| enterprise |
T1083 |
File and Directory Discovery |
The IceApple Directory Lister module can list information about files and directories including creation time, last write time, name, and size. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
IceApple can delete files and directories from targeted systems. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.003 |
Web Portal Capture |
The IceApple OWA credential logger can monitor for OWA authentication requests and log the credentials. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
IceApple .NET assemblies have used App_Web_ in their file names to appear legitimate. |
| enterprise |
T1027 |
Obfuscated Files or Information |
- |
| enterprise |
T1027.010 |
Command Obfuscation |
IceApple can use Base64 and “junk” JavaScript code to obfuscate information. |
| enterprise |
T1003 |
OS Credential Dumping |
- |
| enterprise |
T1003.002 |
Security Account Manager |
IceApple‘s Credential Dumper module can dump encrypted password hashes from SAM registry keys, including HKLM\SAM\SAM\Domains\Account\F and HKLM\SAM\SAM\Domains\Account\Users\*\V. |
| enterprise |
T1003.004 |
LSA Secrets |
IceApple‘s Credential Dumper module can dump LSA secrets from registry keys, including: HKLM\SECURITY\Policy\PolEKList\default, HKLM\SECURITY\Policy\Secrets\*\CurrVal, and HKLM\SECURITY\Policy\Secrets\*\OldVal. |
| enterprise |
T1620 |
Reflective Code Loading |
IceApple can use reflective code loading to load .NET assemblies into MSExchangeOWAAppPool on targeted Exchange servers. |
| enterprise |
T1505 |
Server Software Component |
- |
| enterprise |
T1505.004 |
IIS Components |
IceApple is an IIS post-exploitation framework, consisting of 18 modules that provide several functionalities. |
| enterprise |
T1082 |
System Information Discovery |
The IceApple Server Variable Dumper module iterates over all server variables present for the current request and returns them to the adversary. |
| enterprise |
T1016 |
System Network Configuration Discovery |
The IceApple ifconfig module can iterate over all network interfaces on the host and retrieve the name, description, MAC address, DNS suffix, DNS servers, gateways, IPv4 addresses, and subnet masks. |
| enterprise |
T1552 |
Unsecured Credentials |
- |
| enterprise |
T1552.002 |
Credentials in Registry |
IceApple can harvest credentials from local and remote host registries. |