IcedId Delivery | SOC Hunt Feed

Hunt Hypothesis

The IcedId Delivery rule detects adversaries leveraging malicious downloads to establish initial access, which can lead to ransomware deployment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential ransomware threats before they escalate.

KQL Query

DeviceFileEvents 
| where InitiatingProcessFileName in~("msedge.exe", "chrome.exe", "explorer.exe", "7zFM.exe", "firefox.exe", "browser_broker.exe") 
| where FileOriginReferrerUrl has ".php" and FileOriginReferrerUrl has ".top" and FileOriginUrl  has_any("googleusercontent", "google", "docs")

Analytic Rule Definition

id: b2f3ee1c-f379-465c-a339-412ecf3b1bcb
name: IcedId Delivery
description: |
  Use this query to locate successful delivery of associated malicious downloads that can lead to ransomware
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
tactics:
- Initial access
- Ransomware
query: |
  DeviceFileEvents 
  | where InitiatingProcessFileName in~("msedge.exe", "chrome.exe", "explorer.exe", "7zFM.exe", "firefox.exe", "browser_broker.exe") 
  | where FileOriginReferrerUrl has ".php" and FileOriginReferrerUrl has ".top" and FileOriginUrl  has_any("googleusercontent", "google", "docs")

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Initial access
Tactic: Ransomware

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Ransomware/IcedId Delivery.yaml)

False Positive Guidance

Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job uses icacls or robocopy to copy files to a network share, which may trigger the rule due to file system activity.
Filter/Exclusion: Exclude processes associated with backup tools like Veeam, Commvault, or Veritas NetBackup using the process name or parent process context.
Scenario: Admin Task - File System Cleanup
Description: An admin runs a script using PowerShell or cmd.exe to clean up temporary files or logs, which may resemble malicious file delivery.
Filter/Exclusion: Exclude processes with powershell.exe or cmd.exe that are initiated by known admin accounts (e.g., Administrator, Domain Admins) and have a known cleanup script or command.
Scenario: Software Update Deployment
Description: A legitimate software update via Microsoft Endpoint Manager or WSUS may involve file downloads that match the rule’s detection logic.
Filter/Exclusion: Exclude file downloads from known update servers (e.g., wsus, update.microsoft.com) or processes associated with Microsoft Intune or SCCM.
Scenario: Log File Rotation or Archiving
Description: A system or application performs log rotation using tools like logrotate or rsync, which may trigger the rule due to file transfer activity.
Filter/Exclusion: Exclude processes related to log management tools (e.g., logrotate, rsync, syslog-ng) or file transfers to standard log directories (e.g., /var/log, C:\Windows\System32\LogFiles).
Scenario: User-Initiated File Transfer
Description: A user manually transfers files using tools like scp, `rsync