Rule for detection of Neuron2 based on the routine used to decrypt the payload

Hunt Hypothesis

Adversaries using Neuron2 may employ a specific decryption routine to execute malicious payloads, which can indicate the presence of the malware in the environment. Proactively hunting for this behavior in Azure Sentinel helps identify potential Neuron2 infections early, enabling timely containment and mitigation.

YARA Rule

rule MW_neuron2_decryption_routine : Turla APT
{
    meta:
        description = "Rule for detection of Neuron2 based on the routine used to decrypt the payload"
        author = "NCSC"
        family = "Turla"
        reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
        date = "2018-01-18"
        hash1 = "51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927"
    strings:
        $ = {81 FA FF 00 00 00 0F B6 C2 0F 46 C2 0F B6 0C 04 48 03 CF 0F B6 D1 8A 0C 14 8D 50 01 43 32 0C 13 41 88 0A 49 FF C2 49 83 E9 01}
    condition:
        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://www.ncsc.gov.uk/alerts/turla-group-malware
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to decrypt encrypted logs for audit purposes.
  Filter/Exclusion: Check for ProcessName containing powershell.exe and filter out processes initiated by users with administrative privileges or those running in a known log decryption context.

• Scenario: A scheduled job runs nightly to decrypt backup files using a custom decryption script.
  Filter/Exclusion: Exclude processes associated with scheduled tasks (e.g., schtasks.exe) or those running under a specific service account used for backup operations.

• Scenario: A network monitoring tool like Wireshark or tcpdump is decrypting encrypted traffic for analysis.
  Filter/Exclusion: Filter out processes related to network analysis tools by checking ProcessName or using a custom field indicating the tool’s purpose.

• Scenario: A system update or patching tool (e.g., Windows Update, Ansible, or Chef) decrypts payloads during deployment.
  Filter/Exclusion: Exclude processes associated with known patching tools by checking ProcessName or using a custom field indicating the tool’s role in the update process.

• Scenario: A security tool like CrowdStrike or Microsoft Defender decrypts payloads for malware analysis.
  Filter/Exclusion: Exclude processes running under the security tool’s service account or those associated with sandboxed environments or threat intelligence analysis.