The detection identifies potential Iron Tiger Malware activity associated with a PlugX server, indicating possible command and control communication. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage malware infections in their Azure Sentinel environment.
YARA Rule
rule IronTiger_PlugX_Server
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
description = "Iron Tiger Malware - PlugX Server"
reference = "http://goo.gl/T5fSJC"
strings:
$str1 = "\\UnitFrmManagerKeyLog.pas" nocase wide ascii
$str2 = "\\UnitFrmManagerRegister.pas" nocase wide ascii
$str3 = "Input Name..." nocase wide ascii
$str4 = "New Value#" nocase wide ascii
$str5 = "TThreadRControl.Execute SEH!!!" nocase wide ascii
$str6 = "\\UnitFrmRControl.pas" nocase wide ascii
$str7 = "OnSocket(event is error)!" nocase wide ascii
$str8 = "Make 3F Version Ok!!!" nocase wide ascii
$str9 = "PELEASE DO NOT CHANGE THE DOCAMENT" nocase wide ascii
$str10 = "Press [Ok] Continue Run, Press [Cancel] Exit" nocase wide ascii
condition:
uint16(0) == 0x5a4d and (2 of ($str*))
}This YARA rule can be deployed in the following contexts:
This rule contains 10 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to remotely manage a server via WinRM for routine maintenance.
Filter/Exclusion: Exclude events where the process name is powershell.exe and the command line includes Invoke-Command with a known admin account and IP address from the internal network.
Scenario: A scheduled task is configured to run a legitimate script that connects to a remote server using PsExec for log collection.
Filter/Exclusion: Exclude events where the process name is psexec.exe and the task is associated with a known scheduled job (e.g., LogCollectorTask) with a valid user context.
Scenario: A remote desktop session is initiated by an administrator using mstsc.exe to troubleshoot a service issue.
Filter/Exclusion: Exclude events where the process name is mstsc.exe and the user is a domain admin with a known session ID and IP address from the internal network.
Scenario: A backup job is executed using Veeam Backup & Replication that connects to a remote server to transfer data.
Filter/Exclusion: Exclude events where the process name is veeam.exe and the command line includes backup or transfer with a known backup account and IP address from the internal network.
Scenario: A Windows Update is being applied remotely via Group Policy using PsExec to push updates to multiple machines.
Filter/Exclusion: Exclude events where the process name is psexec.exe and the command line includes msiexec or wuauclt with a known update account and IP address from the internal network.