Iron Tiger Malware - ReadPWD86

Hunt Hypothesis

The Iron Tiger Malware - ReadPWD86 rule detects potential credential extraction activity by adversaries attempting to read password hashes from memory, which is a common technique used in malware to gain persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware infections that could lead to broader network compromise.

YARA Rule

rule IronTiger_ReadPWD86
{
   
    meta:
        author = "Cyber Safety Solutions, Trend Micro"
        description = "Iron Tiger Malware - ReadPWD86"
        reference = "http://goo.gl/T5fSJC"
   
    strings:
        $str1 = "Fail To Load LSASRV" nocase wide ascii
        $str2 = "Fail To Search LSASS Data" nocase wide ascii
        $str3 = "User Principal" nocase wide ascii
   
    condition:
        uint16(0) == 0x5a4d and (all of ($str*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• http://goo.gl/T5fSJC
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that reads password files (e.g., /etc/shadow on Linux) as part of a system audit or password policy enforcement.
  Filter/Exclusion: Check for tasks associated with systemd, cron, or at with known maintenance scripts (e.g., /usr/sbin/useradd, /usr/sbin/usermod).
  Example Filter: process.name = "useradd" OR process.name = "usermod" OR process.name = "cron"

• Scenario: Administrator Using sudo to Modify Passwords
  Description: An admin uses sudo to change a user password via passwd or chpasswd command, which may trigger the rule due to password file access.
  Filter/Exclusion: Filter events where the process is passwd or chpasswd and the user is a known admin (e.g., root, admin, sudo).
  Example Filter: process.name = "passwd" OR process.name = "chpasswd" AND user.name = "root"

• Scenario: Logrotate or Backup Job Accessing Password Files
  Description: A backup or log rotation job (e.g., logrotate, rsync, tar) may access password files during system backups, which could trigger the rule.
  Filter/Exclusion: Exclude processes related to backup tools or log rotation (e.g., logrotate, rsync, tar).
  Example Filter: process.name = "logrotate" OR process.name = "rsync" OR process.name = "tar"

• Scenario: Security Tool or SIEM Agent Reading Password Files
  Description: A security tool (e.g., OSSEC, Splunk, ELK)