Rule for detection of the .NET payload for Neuron2 based on strings used

Hunt Hypothesis

The detection identifies potential Neuron2 malware activity through the presence of specific .NET string patterns indicative of payload execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage compromises and prevent lateral movement within the network.

YARA Rule

rule MW_neuron2_dotnet_strings : Turla APT
{
    meta:
        description = "Rule for detection of the .NET payload for Neuron2 based on strings used"
        author = "NCSC"
        family = "Turla"
        reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
        date = "2018-01-18"
        hash1 = "83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015"
    strings:
        $dotnetMagic = "BSJB" ascii
        $s1 = "http://*:80/W3SVC/" wide
        $s2 = "https://*:443/W3SVC/" wide
        $s3 = "neuron2.exe" ascii
        $s4 = "D:\\Develop\\sps\\neuron2\\neuron2\\obj\\Release\\neuron2.pdb" ascii
    condition:
        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $dotnetMagic and 2 of ($s*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://www.ncsc.gov.uk/alerts/turla-group-malware
• Source Rule

False Positive Guidance

• Scenario: Legitimate .NET script execution during system maintenance
  Description: A system administrator runs a .NET script to perform routine maintenance tasks, such as log cleanup or configuration updates.
  Filter/Exclusion: Check the process owner (Process.Owner) to exclude scripts run by the admin account or use Process.Image to filter known maintenance tools like logclean.exe or configmgr.exe.

• Scenario: Scheduled job using .NET for report generation
  Description: A scheduled job runs a .NET-based reporting tool to generate daily reports, which includes strings similar to the Neuron2 payload.
  Filter/Exclusion: Use Process.CommandLine to exclude jobs with known report generation tools like ReportGenerator.exe or PowerBIReport.exe, or filter by Process.StartTime to exclude jobs that run during non-business hours.

• Scenario: Antivirus or endpoint protection tool using .NET for scanning
  Description: A legitimate antivirus tool (e.g., Microsoft Defender, CrowdStrike) uses .NET for scanning and may include similar string patterns.
  Filter/Exclusion: Filter by Process.Name to exclude known security tools like MsMpEng.exe, Csrss.exe, or Mcshield.exe.

• Scenario: Development environment with .NET code analysis tools
  Description: A developer uses a .NET code analysis tool (e.g., Resharper, SonarQube) that includes strings matching the Neuron2 payload during static code analysis.
  Filter/Exclusion: Use Process.Name to exclude development tools like Resharper.exe, SonarScanner.exe, or dotnet.exe when running in a development context.

• Scenario: System update or patching process using .NET components
  Description: A system update process (e.g., Windows Update, SCCM