Description
[IceApple](https://attack.mitre.org/software/S1022) is a modular Internet Information Services (IIS) post-exploitation framework, that has been used since at least 2021 against the technology, academic, and government sectors.(Citation: CrowdStrike IceApple May 2022)
External References
Techniques Used by This Malware
- T1003.002 — Security Account Manager
- T1003.004 — LSA Secrets
- T1005 — Data from Local System
- T1016 — System Network Configuration Discovery
- T1027.010 — Command Obfuscation
- T1036.005 — Match Legitimate Resource Name or Location
- T1041 — Exfiltration Over C2 Channel
- T1056.003 — Web Portal Capture
- T1070.004 — File Deletion
- T1071.001 — Web Protocols
- T1082 — System Information Discovery
- T1083 — File and Directory Discovery
- T1087.002 — Domain Account
- T1140 — Deobfuscate/Decode Files or Information
- T1505.004 — IIS Components
- T1552.002 — Credentials in Registry
- T1560.001 — Archive via Utility
- T1573.001 — Symmetric Cryptography
- T1620 — Reflective Code Loading