Iron Tiger EFH3 Encoder

Hunt Hypothesis

The Iron Tiger EFH3 Encoder detects potential adversary use of a custom encoding method to obfuscate malicious payloads, which may indicate initial compromise or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity that could evade standard detection mechanisms.

YARA Rule

rule IronTiger_EFH3_encoder 
{
  
    meta:
        author = "Cyber Safety Solutions, Trend Micro"
        description = "Iron Tiger EFH3 Encoder"
        reference = "http://goo.gl/T5fSJC"
  
    strings:
        $str1 = "EFH3 [HEX] [SRCFILE] [DSTFILE]" nocase wide ascii
        $str2 = "123.EXE 123.EFH" nocase wide ascii
        $str3 = "ENCODER: b[i]: = " nocase wide ascii
  
    condition:
        uint16(0) == 0x5a4d and (any of ($str*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• http://goo.gl/T5fSJC
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to perform a scheduled backup task that inadvertently encodes data using EFH3 due to a custom script.
  Filter/Exclusion: Exclude processes initiated by the schtasks.exe or Task Scheduler service, or filter by the command line arguments containing backup or restore.

• Scenario: A developer is using Wireshark to analyze network traffic and applies a custom packet filter that includes EFH3 encoding for protocol analysis.
  Filter/Exclusion: Exclude processes running Wireshark or tcpdump with specific command-line arguments related to packet capture or analysis.

• Scenario: A security tool like CrowdStrike Falcon or Microsoft Defender is performing a memory scan and detects EFH3 encoding as part of its heuristic analysis.
  Filter/Exclusion: Exclude processes associated with CrowdStrike, Microsoft Defender, or Windows Defender using process name or parent process filtering.

• Scenario: A database administrator is using SQL Server Profiler or Azure SQL Tools to encode query results for export, which may trigger EFH3 encoding in logs.
  Filter/Exclusion: Exclude processes related to SQL Server or Azure SQL by process name or by checking for known database management system (DBMS) processes.

• Scenario: A system is running a Windows Update or Group Policy task that temporarily uses EFH3 encoding for secure communication or data handling.
  Filter/Exclusion: Exclude processes initiated by wuauclt.exe (Windows Update) or gpupdate.exe using process name or parent process filtering.