This is a detection for a s.exe variant seen in Op. Iron Tiger

Hunt Hypothesis

The detection identifies the presence of a s.exe variant associated with the Op. Iron Tiger campaign, which may indicate initial compromise or lateral movement by an adversary. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential early-stage threats and prevent further network infiltration.

YARA Rule

rule IronTiger_Gh0stRAT_variant
{
  
    meta:
        author = "Cyber Safety Solutions, Trend Micro"
        description = "This is a detection for a s.exe variant seen in Op. Iron Tiger"
        reference = "http://goo.gl/T5fSJC"
  
    strings:
        $str1 = "Game Over Good Luck By Wind" nocase wide ascii
        $str2 = "ReleiceName" nocase wide ascii
        $str3 = "jingtisanmenxiachuanxiao.vbs" nocase wide ascii
        $str4 = "Winds Update" nocase wide ascii
  
    condition:
        uint16(0) == 0x5a4d and (any of ($str*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• http://goo.gl/T5fSJC
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Sysinternals Process Explorer (s.exe) to troubleshoot a process.
  Filter/Exclusion: Check for the presence of Sysinternals in the file path or use a filter like process.parent_process_name == "explorer.exe" or process.file_path contains "Sysinternals".

• Scenario: A scheduled job runs Windows System File Checker (sfc.exe) as part of routine maintenance.
  Filter/Exclusion: Filter by process.name == "sfc.exe" or check for process.command_line contains "sfc.exe" with known maintenance command-line arguments.

• Scenario: A developer is using Wireshark to capture network traffic, and the tool internally uses s.exe for some internal processing.
  Filter/Exclusion: Check for the presence of Wireshark in the file path or use a filter like process.file_path contains "Wireshark".

• Scenario: A Windows Update or Group Policy deployment triggers a background process that uses s.exe for system configuration.
  Filter/Exclusion: Filter by process.parent_process_name == "svchost.exe" or check for process.command_line contains "wuau" or "gpupdate".

• Scenario: A Microsoft System Configuration Tool (msconfig.exe) or Task Scheduler runs a script that temporarily uses s.exe for execution.
  Filter/Exclusion: Filter by process.parent_process_name == "taskhost.exe" or process.parent_process_name == "msconfig.exe".