This rule detects a dns tunnel tool used in Operation Iron Tiger

Hunt Hypothesis

Adversaries are using a DNS tunneling technique associated with Operation Iron Tiger to exfiltrate data covertly. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data exfiltration attempts by advanced persistent threats.

YARA Rule

rule IronTiger_dnstunnel 
{
   
    meta:
        author = "Cyber Safety Solutions, Trend Micro"
        description = "This rule detects a dns tunnel tool used in Operation Iron Tiger"
        reference = "http://goo.gl/T5fSJC"
   
    strings:
        $str1 = "\\DnsTunClient\\" nocase wide ascii
        $str2 = "\\t-DNSTunnel\\" nocase wide ascii
        $str3 = "xssok.blogspot" nocase wide ascii
        $str4 = "dnstunclient" nocase wide ascii
        $mistake1 = "because of error, can not analysis" nocase wide ascii
        $mistake2 = "can not deal witn the error" nocase wide ascii
        $mistake3 = "the other retun one RST" nocase wide ascii
        $mistake4 = "Coversation produce one error" nocase wide ascii
        $mistake5 = "Program try to use the have deleted the buffer" nocase wide ascii
    
    condition:
        (uint16(0) == 0x5a4d) and ((any of ($str*)) or (any of ($mistake*)))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

References

• http://goo.gl/T5fSJC
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using nslookup to manually test DNS configurations during routine maintenance.
  Filter/Exclusion: Check for nslookup usage in known administrative tasks or within a specific time window of scheduled maintenance windows.

• Scenario: A scheduled job runs a script that uses dig to query internal DNS records for health checks.
  Filter/Exclusion: Exclude DNS queries to internal domains (e.g., internal.corp.example.com) or filter by process name dig used in known monitoring scripts.

• Scenario: A developer is using dnspython to implement a custom DNS resolver for internal application testing.
  Filter/Exclusion: Exclude DNS traffic originating from development environments or applications with known internal testing purposes.

• Scenario: A user is using dnstracer to troubleshoot DNS resolution issues on their local machine.
  Filter/Exclusion: Exclude DNS traffic from local hosts or filter by source IP addresses associated with end-user devices.

• Scenario: A security tool like dnschef is being used for network analysis and packet inspection in a security operations center.
  Filter/Exclusion: Exclude traffic from known security tools or filter based on process names associated with network analysis tools.