The GetUserInfo rule detects potential Iron Tiger malware activity where an adversary is attempting to gather user information to escalate privileges or move laterally within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage malware presence and prevent further compromise.
YARA Rule
rule IronTiger_GetUserInfo
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
description = "Iron Tiger Malware - GetUserInfo"
reference = "http://goo.gl/T5fSJC"
strings:
$str1 = "getuserinfo username" nocase wide ascii
$str2 = "[email protected]" nocase wide ascii
$str3 = "If . specified for userid," nocase wide ascii
condition:
uint16(0) == 0x5a4d and (any of ($str*))
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: System Administrator using PowerShell to retrieve user information for audit purposes.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name == "task scheduler"
Scenario: Scheduled job running PowerShell to generate user reports.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name == "schtasks.exe"
Scenario: IT support team using Microsoft Remote Desktop Services (RDP) to access user accounts for troubleshooting.
Filter/Exclusion: process.name != "rdp.exe" OR process.parent.name == "services.exe"
Scenario: Regular Windows Task Scheduler job that runs a script to fetch user details for log analysis.
Filter/Exclusion: process.name != "cmd.exe" OR process.parent.name == "schtasks.exe"
Scenario: Security team using Windows Management Instrumentation (WMI) to query user information during a security assessment.
Filter/Exclusion: process.name != "wmic.exe" OR process.parent.name == "services.exe"