Detection rules › Splunk
Drop IcedID License dat
The following analytic detects the dropping of a suspicious file named "license.dat" in %appdata% or %programdata%. This behavior is associated with the IcedID malware, which uses this file to inject its core bot into other processes for banking credential theft. The detection leverages Sysmon EventCode 11 to monitor file creation events in these directories. This activity is significant as it indicates a potential malware infection aiming to steal sensitive banking information. If confirmed malicious, the attacker could gain unauthorized access to financial data, leading to significant financial loss and data breaches.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1204.002 User Execution: Malicious File |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: search
search (TargetFilename="*\\appdata\\*" OR TargetFilename="*\\programdata\\*") EventCode=11 TargetFilename="*\\license.dat"
Stage 2: stats
stats BY TargetFilename, EventCode, process_id, process_name, dest
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
TargetFilename | eq |
|