S1022: IceApple
Analyst context for executives and security teams
IceApple matters because it is described as a modular post-exploitation framework for Windows IIS web servers. For leaders, the practical risk is not just malware on a server; it is a compromised web-facing platform that can support persistence, credential access, discovery, collection, command-and-control over web protocols, and exfiltration. IIS systems often sit close to customers, portals, authentication flows, and sensitive application data, so visibility and response readiness around them should be treated as business-continuity and identity-risk priorities.
Executive priority
Prioritize IceApple-relevant readiness for internet-facing and business-critical IIS servers. Ask whether the organization can prove who owns each IIS asset, what components are authorized, whether credential access attempts against SAM/LSA/Registry would be visible, and whether suspicious web-protocol traffic from IIS hosts would trigger investigation. This is also useful audit evidence: asset inventory, IIS change control, privileged access monitoring, endpoint telemetry, and egress logging are the controls that usually determine whether this behavior is manageable during an incident.
Technical view
MITRE does not provide a dedicated detection section for IceApple, and the object has no explicit tactics listed, so defensive validation should be driven by the linked techniques. Focus on Windows IIS hosts and look for evidence of malicious IIS components, unusual IIS worker-process behavior, credential access to SAM, LSA secrets, or Registry-stored credentials, local and domain account discovery, file and directory discovery, local data collection, archive creation, file deletion, command obfuscation, deobfuscation, reflective code loading, and HTTP/S-based command-and-control or exfiltration. Treat IIS component changes and web portal credential-capture scenarios as high-value investigation leads, especially when paired with credential or data-staging telemetry.
Likely telemetry
- IIS configuration, module, ISAPI extension/filter, and component change records
- Windows endpoint process, command-line, script, DLL/module load, and memory-behavior telemetry on IIS servers
- Windows Registry access telemetry, especially around SAM, SECURITY, Policy\Secrets, and stored-credential locations
- File system telemetry for discovery, staging, archive creation, suspicious placement under legitimate-looking paths, and deletion
- Authentication and directory-service logs for domain account enumeration and unusual credential use following IIS activity
Detection direction
- Baseline authorized IIS components and alert on new, modified, or unexpectedly loaded IIS modules, ISAPI extensions, filters, or DLLs.
- Correlate IIS worker-process activity with child processes, command interpreters, Registry credential access, local file discovery, archive utilities, and file deletion events.
- Tune for credential-access behaviors rather than malware name alone: SAM extraction, LSA secrets access, and searches for credentials in the Registry are material even without an IceApple signature.
- Review outbound web traffic from IIS servers for C2-like behavior, but account for false positives from legitimate application integrations, update services, and monitoring agents.
- Use relationship context to build multi-signal detections: IIS component persistence plus discovery, credential access, archiving, or exfiltration over web protocols should be higher priority than any single weak indicator.
Mitigation priorities
- Establish and maintain an inventory of Windows IIS servers, especially externally facing and authentication-related systems.
- Enforce change control and integrity monitoring for IIS components, web application directories, and server-side extensions.
- Harden privileged access on IIS hosts and reduce exposure of service-account and locally stored credentials.
- Ensure endpoint monitoring is deployed and tested on IIS servers without excluding the directories and processes needed for investigation.
- Restrict and monitor outbound network access from IIS hosts so web-protocol egress is expected, attributable, and reviewable.
Analyst notes and limits
The strongest defensive value comes from treating IceApple as an IIS post-exploitation pattern rather than a single indicator. The supplied relationships connect it to persistence through IIS components, credential access, discovery, collection, stealth, C2, and exfiltration behaviors. Glexia teams should use this to test whether SOC content, incident response procedures, and audit evidence cover the full chain on Windows IIS assets.
The supplied ATT&CK object does not include official detection guidance, aliases, labels, or explicit tactics for the malware object. Sector references are limited to the official description and should not be interpreted as current targeting or customer exposure. Local asset criticality, IIS architecture, logging depth, and normal application behavior are required to assess risk and tune detections.
IceApple
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | IceApple can use Base64 and "junk" JavaScript code to obfuscate information.CitationCrowdStrike IceApple May 2022 |
| Enterprise | T1003.004 | LSA Secrets Sub-technique | IceApple's Credential Dumper module can dump LSA secrets from registry keys, including: `HKLM\SECURITY\Policy\PolEKList\default`, `HKLM\SECURITY\Policy\Secrets\*\CurrVal`, and `HKLM\SECURITY\Policy\Secrets\*\OldVal`.CitationCrowdStrike IceApple May 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | IceApple .NET assemblies have used `App_Web_` in their file names to appear legitimate.CitationCrowdStrike IceApple May 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | IceApple can delete files and directories from targeted systems.CitationCrowdStrike IceApple May 2022 |
| Enterprise | T1552.002 | Credentials in Registry Sub-technique | IceApple can harvest credentials from local and remote host registries.CitationCrowdStrike IceApple May 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | IceApple's Multi File Exfiltrator module can exfiltrate multiple files from a compromised host as an HTTP response over C2.CitationCrowdStrike IceApple May 2022 |
| Enterprise | T1505.004 | IIS Components Sub-technique | IceApple is an IIS post-exploitation framework, consisting of 18 modules that provide several functionalities.CitationCrowdStrike IceApple May 2022 |
| Enterprise | T1005 | Data from Local System | IceApple can collect files, passwords, and other data from a compromised host.CitationCrowdStrike IceApple May 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | IceApple can use a Base64-encoded AES key to decrypt tasking.CitationCrowdStrike IceApple May 2022 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | IceApple can encrypt and compress files using Gzip prior to exfiltration.CitationCrowdStrike IceApple May 2022 |
| Enterprise | T1620 | Reflective Code Loading | IceApple can use reflective code loading to load .NET assemblies into `MSExchangeOWAAppPool` on targeted Exchange servers.CitationCrowdStrike IceApple May 2022 |
| Enterprise | T1056.003 | Web Portal Capture Sub-technique | The IceApple OWA credential logger can monitor for OWA authentication requests and log the credentials.CitationCrowdStrike IceApple May 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | IceApple can use HTTP GET to request and pull information from C2.CitationCrowdStrike IceApple May 2022 |
| Enterprise | T1082 | System Information Discovery | The IceApple Server Variable Dumper module iterates over all server variables present for the current request and returns them to the adversary.CitationCrowdStrike IceApple May 2022 |
| Enterprise | T1083 | File and Directory Discovery | The IceApple Directory Lister module can list information about files and directories including creation time, last write time, name, and size.CitationCrowdStrike IceApple May 2022 |
| Enterprise | T1087.002 | Domain Account Sub-technique | The IceApple Active Directory Querier module can perform authenticated requests against an Active Directory server.CitationCrowdStrike IceApple May 2022 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | The IceApple Result Retriever module can AES encrypt C2 responses.CitationCrowdStrike IceApple May 2022 |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | IceApple's Credential Dumper module can dump encrypted password hashes from SAM registry keys, including `HKLM\SAM\SAM\Domains\Account\F` and `HKLM\SAM\SAM\Domains\Account\Users\*\V`.CitationCrowdStrike IceApple May 2022 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | b4b861a4a93e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CrowdStrike IceApple May 2022
CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
Open source URL -
[2]
mitre-attack S1022Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.