The detection identifies potential Wild Neutron APT activity through suspicious file behavior indicative of adversary persistence and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before significant data loss occurs.
YARA Rule
rule WildNeutron_Sample_5
{
meta:
description = "Wild Neutron APT Sample Rule - file 1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206"
author = "Florian Roth"
reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
date = "2015-07-10"
score = 60
hash = "1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206"
strings:
$s0 = "LiveUpdater.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '25.00' */
$s1 = "id-at-postalAddress" fullword ascii /* PEStudio Blacklist: strings */ /* score: '18.00' */
$s2 = "%d -> %d (default)" fullword wide /* PEStudio Blacklist: strings */ /* score: '17.00' */
$s3 = "%s%s%s=%d,%s=%d,%s=%d," fullword wide /* score: '15.00' */
$s4 = "sha-1WithRSAEncryption" fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */
$s5 = "Postal code" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.00' */
$s6 = "id-ce-keyUsage" fullword ascii /* score: '12.00' */
$s7 = "Key Usage" fullword ascii /* score: '12.00' */
$s8 = "TLS-RSA-WITH-3DES-EDE-CBC-SHA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '11.00' */
$s9 = "%02d.%04d.%s" fullword wide /* score: '7.02' */
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 10 string patterns in its detection logic.
Scenario: Scheduled System Backup Using vssadmin
Description: A legitimate system backup process using Volume Shadow Copy Service (vssadmin) may trigger the rule due to similar command-line activity.
Filter/Exclusion: Check for vssadmin in the command line and exclude processes initiated by the backup service account or scheduled task named DailySystemBackup.
Scenario: Admin Task Using icacls for Permissions Adjustment
Description: An administrator may use icacls to modify file permissions on a shared folder, which could resemble malicious activity.
Filter/Exclusion: Filter out processes where the command line includes icacls and the user is a domain admin or has the “File System Permissions” privilege.
Scenario: PowerShell Script for Log Rotation Using Move-Item
Description: A legitimate PowerShell script that rotates logs using Move-Item might be flagged due to file system activity.
Filter/Exclusion: Exclude processes where the script path contains logrotate.ps1 or logrotate in the command line, and the user is a system admin.
Scenario: Software Update Deployment Using msiexec
Description: A legitimate software update using msiexec may trigger the rule due to file extraction or installation behavior.
Filter/Exclusion: Exclude processes where the command line includes a known update package (e.g., KB1234567.msi) or is initiated by the Windows Update service.
Scenario: Database Backup Using sqlcmd with File Output
Description: A database backup process using sqlcmd to export data to a file may trigger the rule due to file creation or modification.
Filter/Exclusion: Exclude processes where the command line includes sqlcmd and the output file path is