IcedID and Cobalt Strike vs Antivirus
released on 2021-07-19 @ 10:07:23 AM
A couple ransomware cases in 2021 (Sodinokibi & Conti) used IcedID as the initial foothold into the environment. IcedID downloads some 2nd stage payloads and loads the DLL into memory with rundll32 (miubeptk2.dll – IcedID – used for persistence) and regsvr32 (ekix4.dll – Cobalt Strike beacon – privilege escalation via fodhelper) to pillage the domain. Service Execution (T1569.002) via Cobalt Strike Beacon was used throughout the intrusion for privilege escalation.