Iron Tiger Tool - wmi.vbs detection

Hunt Hypothesis

The detection identifies the use of the Iron Tiger Tool via a WMI.vbs script, which is commonly associated with lateral movement and persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversary activity that may evade traditional detection methods.

YARA Rule

rule IronTiger_wmiexec
{
  
    meta:
        author = "Cyber Safety Solutions, Trend Micro"
        description = "Iron Tiger Tool - wmi.vbs detection"
        reference = "http://goo.gl/T5fSJC"
  
    strings:
        $str1 = "Temp Result File , Change it to where you like" nocase wide ascii
        $str2 = "wmiexec" nocase wide ascii
        $str3 = "By. Twi1ight" nocase wide ascii
        $str4 = "[both mode] ,delay TIME to read result" nocase wide ascii
        $str5 = "such as nc.exe or Trojan" nocase wide ascii
        $str6 = "+++shell mode+++" nocase wide ascii
        $str7 = "win2008 fso has no privilege to delete file" nocase wide ascii
  
    condition:
        2 of ($str*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

References

• http://goo.gl/T5fSJC
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Windows Task Scheduler to run a legitimate script named wmi.vbs to gather system inventory for compliance reporting.
  Filter/Exclusion: Check the Task Scheduler job name and description for known administrative tasks (e.g., “System Inventory Report”).

• Scenario: A Microsoft System Center Configuration Manager (SCCM) agent is executing a script named wmi.vbs to collect hardware and software inventory.
  Filter/Exclusion: Filter based on the process parent process (e.g., smsexec.exe or ccmexec.exe) or check the command line arguments for SCCM-related strings.

• Scenario: A PowerShell script is using wmi.vbs as a helper script to perform routine system diagnostics or monitoring.
  Filter/Exclusion: Check the calling process (e.g., powershell.exe) and inspect the script execution context for known diagnostic or monitoring tools.

• Scenario: A scheduled job runs wmi.vbs as part of a Microsoft Endpoint Manager (MEM) compliance scan to check for software updates.
  Filter/Exclusion: Filter by job name or task origin (e.g., “Microsoft Intune Compliance Scan”) and verify the script location against known MEM directories.

• Scenario: A third-party IT management tool (e.g., SolarWinds or ManageEngine) uses wmi.vbs to perform system health checks or configuration audits.
  Filter/Exclusion: Check the process parent process or script location to identify known third-party management tool directories or processes.