Icedid Exfiltrated Archived File Creation

Icedid Exfiltrated Archived File Creation

Description

This search is to detect a suspicious file creation namely passff.tar and cookie.tar. This files are possible archived of stolen browser information like history and cookies in a compromised machine with IcedID.

   Help

Icedid Exfiltrated Archived File Creation Help

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

   Search

Open in Search