The Iron Tiger Malware - GetPassword x64 is likely being used to exfiltrate credentials by leveraging Windows API calls to extract password information from memory. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft and mitigate lateral movement risks.
YARA Rule
rule IronTiger_GetPassword_x64
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
description = "Iron Tiger Malware - GetPassword x64"
reference = "http://goo.gl/T5fSJC"
strings:
$str1 = "(LUID ERROR)" nocase wide ascii
$str2 = "Users\\K8team\\Desktop\\GetPassword" nocase wide ascii
$str3 = "Debug x64\\GetPassword.pdb" nocase wide ascii
$bla1 = "Authentication Package:" nocase wide ascii
$bla2 = "Authentication Domain:" nocase wide ascii
$bla3 = "* Password:" nocase wide ascii
$bla4 = "Primary User:" nocase wide ascii
condition:
uint16(0) == 0x5a4d and ((any of ($str*)) or (all of ($bla*)))
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to retrieve password hashes for audit purposes using Get-LocalUser or Get-ADUser.
Filter/Exclusion: Check for the presence of Get-LocalUser or Get-ADUser in the command line, or filter by process name powershell.exe with specific command-line arguments.
Scenario: A scheduled job runs nightly to collect system logs or perform disk cleanup, which may involve reading or writing to sensitive system directories.
Filter/Exclusion: Exclude processes associated with scheduled tasks (e.g., schtasks.exe) or filter by the task name or user account used for the scheduled job.
Scenario: A third-party security tool (e.g., CrowdStrike Falcon, SentinelOne) performs a memory scan or integrity check, which may trigger similar API calls to system resources.
Filter/Exclusion: Exclude processes associated with known security tools by their process names or by checking the parent process chain.
Scenario: A database administrator is using SQL Server Management Studio (SSMS) to query user credentials for access control validation.
Filter/Exclusion: Filter by process name ssms.exe or check for SQL-related command-line arguments in the process invocation.
Scenario: A Windows Update or Group Policy deployment script is executed, which may temporarily access password storage or system credentials during configuration.
Filter/Exclusion: Exclude processes related to wuauclt.exe (Windows Update) or gpupdate.exe, or filter by the user context (e.g., SYSTEM or LocalService).