Rule for detection of Neuron2 based on strings within the loader

Hunt Hypothesis

The hypothesis is that the detection of Neuron2 loader strings indicates the presence of a potentially malicious loader used in advanced persistent threat campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromises and prevent lateral movement and data exfiltration.

YARA Rule

rule MW_neuron2_loader_strings : Turla APT loader
{
    meta:
        description = "Rule for detection of Neuron2 based on strings within the loader"
        author = "NCSC"
        family = "Turla"
        reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
        date = "2018-01-18"
        hash1 = "51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927"
    strings:
        $ = "dcom_api" ascii
        $ = "http://*:80/OWA/OAB/" ascii
        $ = "https://*:443/OWA/OAB/" ascii
        $ = "dcomnetsrv.cpp" wide
        $ = "dcomnet.dll" ascii
        $ = "D:\\Develop\\sps\\neuron2\\x64\\Release\\dcomnet.pdb" ascii
    condition:
        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 2 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://www.ncsc.gov.uk/alerts/turla-group-malware
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job using schtasks.exe to run a maintenance script
  Filter/Exclusion: Exclude processes where the command line contains schtasks.exe /create /tn or schtasks.exe /run with known benign script names (e.g., CleanupScript.bat)

• Scenario: System update using PowerShell with Invoke-Command to execute a remote script
  Filter/Exclusion: Exclude processes where the command line includes powershell.exe -Command Invoke-Command -ScriptBlock and the remote host is a trusted domain controller or update server

• Scenario: Admin task using taskmgr.exe to manually launch a legitimate diagnostic tool
  Filter/Exclusion: Exclude processes where the parent process is taskmgr.exe and the child process is a known diagnostic tool (e.g., ProcessMonitor.exe, ProcessExplorer.exe)

• Scenario: Log file parsing using logparser.exe with custom scripts to analyze event logs
  Filter/Exclusion: Exclude processes where the command line includes logparser.exe -i EventLog -o CSV and the script is located in a known log analysis directory (e.g., C:\Tools\LogAnalysis\)

• Scenario: Database backup using sqlcmd.exe with a scheduled SQL script
  Filter/Exclusion: Exclude processes where the command line includes sqlcmd.exe -S with a known SQL server instance and the script path is within the database backup directory (e.g., C:\Backups\)