White Paper | Resource Center

Falcon OverWatch Proactive Threat Hunting Unearths IceApple Post-Exploitation Framework

Falcon OverWatch Proactive Threat Hunting Unearths IceApple Post-Exploitation Framework

CrowdStrike’s Falcon OverWatch™ proactive threat hunting has uncovered a sophisticated .NET-based post-exploitation framework, dubbed IceApple. The framework has been observed being deployed on Microsoft Exchange server instances, but it is capable of running under any Internet Information Services (IIS) web application.

Suspected to be the work of a state-nexus adversary, IceApple remains under active development, with 18 modules observed in use across a number of enterprise environments, as of May 2022.

This research paper, “IceApple: A Novel Internet Information Services (IIS) Post-Exploitation Framework,” provides:

  • Insights into how proactive threat hunting uncovered IceApple
  • Information on how IceApple is being used in the wild
  • A deep dive into the functionality of all currently discovered modules of this evolving framework as well as information about how these modules interact

Latest White Papers

Ransomware Evolution and the Impact of an Outdated Defense
The Impact of Securing Your Cloud Environment with Falcon Cloud Security
A Modern Approach to Confidently Stopping Data Exfiltration

Discover More at our
Resource Center

Case Studies
Community Tools
CrowdCasts
Data Sheets
Demos
Guides
Infographics
Reports
Videos
White Papers

TECHNICAL CENTER

  • OS icon
  • deployment icon
  • installation icon

For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Center.

Visit the Tech Center