Iron Tiger Toolset - HTTP SOCKS Proxy soexe

Hunt Hypothesis

The Iron Tiger Toolset - HTTP SOCKS Proxy soexe is likely being used by adversaries to establish covert SOCKS proxy connections, enabling data exfiltration or command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term persistence or data exfiltration activities that may evade traditional detection methods.

YARA Rule

rule IronTiger_HTTP_SOCKS_Proxy_soexe
{
   
    meta:
        author = "Cyber Safety Solutions, Trend Micro"
        description = "Iron Tiger Toolset - HTTP SOCKS Proxy soexe"
        reference = "http://goo.gl/T5fSJC"
   
    strings:
        $str1 = "listen SOCKET error." nocase wide ascii
        $str2 = "WSAAsyncSelect SOCKET error." nocase wide ascii
        $str3 = "new SOCKETINFO error!" nocase wide ascii
        $str4 = "Http/1.1 403 Forbidden" nocase wide ascii
        $str5 = "Create SOCKET error." nocase wide ascii
   
    condition:
        uint16(0) == 0x5a4d and (3 of ($str*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• http://goo.gl/T5fSJC
• Source Rule

False Positive Guidance

• Scenario: Scheduled system maintenance task using soexe
  Description: A legitimate system maintenance script or task may use soexe as part of a scheduled job to perform updates or configuration changes.
  Filter/Exclusion: Exclude processes initiated by the system scheduler (e.g., schtasks.exe or at.exe) or with a command line containing known maintenance keywords like update, patch, or maintenance.

• Scenario: Administrative tool for network configuration
  Description: IT administrators may use soexe as part of a network configuration tool to set up or modify proxy settings across the enterprise.
  Filter/Exclusion: Exclude processes launched from known administrative tools (e.g., netsh, ipconfig, or rasdial) or with a command line containing proxy, http, or socks.

• Scenario: Legacy application compatibility testing
  Description: A legacy application or compatibility test may use soexe to simulate or test SOCKS proxy behavior during QA or development.
  Filter/Exclusion: Exclude processes running in a test environment (e.g., with Test or QA in the command line) or from specific user accounts used for testing.

• Scenario: Custom script for internal proxy management
  Description: A custom PowerShell or batch script may invoke soexe to manage internal proxy configurations for internal users or services.
  Filter/Exclusion: Exclude processes with command lines containing script paths or known internal tool names (e.g., InternalProxyManager, ProxyConfigTool).

• Scenario: Third-party software installation or update
  Description: Some third-party software may include soexe as part of its installation or update process, especially if it requires proxy configuration.
  Filter/Exclusion: Exclude processes launched