Skip to content

S1022 IceApple

IceApple is a modular Internet Information Services (IIS) post-exploitation framework, that has been used since at least 2021 against the technology, academic, and government sectors.1

Item Value
ID S1022
Associated Names
Version 1.1
Created 27 June 2022
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account The IceApple Active Directory Querier module can perform authenticated requests against an Active Directory server.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols IceApple can use HTTP GET to request and pull information from C2.1
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility IceApple can encrypt and compress files using Gzip prior to exfiltration.1
enterprise T1005 Data from Local System IceApple can collect files, passwords, and other data from a compromised host.1
enterprise T1140 Deobfuscate/Decode Files or Information IceApple can use a Base64-encoded AES key to decrypt tasking.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography The IceApple Result Retriever module can AES encrypt C2 responses.1
enterprise T1041 Exfiltration Over C2 Channel IceApple‘s Multi File Exfiltrator module can exfiltrate multiple files from a compromised host as an HTTP response over C2.1
enterprise T1083 File and Directory Discovery The IceApple Directory Lister module can list information about files and directories including creation time, last write time, name, and size.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion IceApple can delete files and directories from targeted systems.1
enterprise T1056 Input Capture -
enterprise T1056.003 Web Portal Capture The IceApple OWA credential logger can monitor for OWA authentication requests and log the credentials.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location IceApple .NET assemblies have used App_Web_ in their file names to appear legitimate.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation IceApple can use Base64 and “junk” JavaScript code to obfuscate information.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager IceApple‘s Credential Dumper module can dump encrypted password hashes from SAM registry keys, including HKLM\SAM\SAM\Domains\Account\F and HKLM\SAM\SAM\Domains\Account\Users\*\V.1
enterprise T1003.004 LSA Secrets IceApple‘s Credential Dumper module can dump LSA secrets from registry keys, including: HKLM\SECURITY\Policy\PolEKList\default, HKLM\SECURITY\Policy\Secrets\*\CurrVal, and HKLM\SECURITY\Policy\Secrets\*\OldVal.1
enterprise T1620 Reflective Code Loading IceApple can use reflective code loading to load .NET assemblies into MSExchangeOWAAppPool on targeted Exchange servers.1
enterprise T1505 Server Software Component -
enterprise T1505.004 IIS Components IceApple is an IIS post-exploitation framework, consisting of 18 modules that provide several functionalities.1
enterprise T1082 System Information Discovery The IceApple Server Variable Dumper module iterates over all server variables present for the current request and returns them to the adversary.1
enterprise T1016 System Network Configuration Discovery The IceApple ifconfig module can iterate over all network interfaces on the host and retrieve the name, description, MAC address, DNS suffix, DNS servers, gateways, IPv4 addresses, and subnet masks.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.002 Credentials in Registry IceApple can harvest credentials from local and remote host registries.1