The hypothesis is that the detection rule identifies potential IcedID malware activity through adjusted indicators, which may indicate an adversary’s attempt to evade signature-based detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage IcedID infections that may not be caught by traditional detection methods.
YARA Rule
rule IceID_Bank_trojan {
meta:
description = "Detects IcedID..adjusted several times"
author = "unixfreaxjp"
org = "MalwareMustDie"
date = "2018-01-14"
strings:
$header = { 4D 5A }
$magic1 = { E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 68 ?? ?? }
$st01 = "CCmdTarget" fullword nocase wide ascii
$st02 = "CUserException" fullword nocase wide ascii
$st03 = "FileType" fullword nocase wide ascii
$st04 = "FlsGetValue" fullword nocase wide ascii
$st05 = "AVCShellWrapper@@" fullword nocase wide ascii
$st06 = "AVCCmdTarget@@" fullword nocase wide ascii
$st07 = "AUCThreadData@@" fullword nocase wide ascii
$st08 = "AVCUserException@@" fullword nocase wide ascii
condition:
$header at 0 and all of ($magic*) and 6 of ($st0*)
and pe.sections[0].name contains ".text"
and pe.sections[1].name contains ".rdata"
and pe.sections[2].name contains ".data"
and pe.sections[3].name contains ".rsrc"
and pe.characteristics & pe.EXECUTABLE_IMAGE
and pe.characteristics & pe.RELOCS_STRIPPED
}This YARA rule can be deployed in the following contexts:
This rule contains 10 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate the deployment of updates across the network.
Filter/Exclusion: Exclude PowerShell scripts that contain the string "IcedID" and are executed via Task Scheduler with a known update deployment task name.
Scenario: A Windows Scheduled Task is configured to run a legitimate PowerShell script that performs system cleanup or log rotation.
Filter/Exclusion: Exclude tasks that are scheduled under the Local System account and have a known script path in the *C:\Windows\System32\WindowsPowerShell\v1.0* directory.
Scenario: An IT admin is using Windows Event Viewer to manually check for suspicious activity and is querying logs using a script that includes the term “IcedID” for filtering.
Filter/Exclusion: Exclude queries that are initiated from the Event Viewer GUI or from a script with a known admin username and a specific log query pattern.
Scenario: A CI/CD pipeline (e.g., Azure DevOps) is running a build script that includes a placeholder or test string “IcedID” for debugging purposes.
Filter/Exclusion: Exclude processes initiated by Azure DevOps or GitHub Actions and that match a known CI/CD script pattern or environment variable.
Scenario: A third-party tool (e.g., Microsoft Endpoint Manager or Intune) is performing a system scan and generates a report that includes the term “IcedID” as part of its output.
Filter/Exclusion: Exclude processes associated with Microsoft Endpoint Manager or Intune and filter out any output that matches a known scan report format.