Wild Neutron APT Sample Rule - file 4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865

Hunt Hypothesis

The hypothesis is that the detection identifies potential Wild Neutron APT activity through the presence of a suspicious file hash, which may indicate the execution of malicious code associated with this advanced persistent threat. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage APT compromises before they escalate.

YARA Rule

rule WildNeutron_Sample_6 
{

    meta:
        description = "Wild Neutron APT Sample Rule - file 4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865"
        author = "Florian Roth"
        reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
        date = "2015-07-10"
        score = 60
        hash = "4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865"

    strings:
        $s0 = "mshtaex.exe" fullword wide /* score: '20.00' */

    condition:
        uint16(0) == 0x5a4d and filesize < 310KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/
• Source Rule

False Positive Guidance

• Scenario: System Update via Windows Update
  Description: A legitimate Windows update process downloads a file with a hash matching the rule.
  Filter/Exclusion: process.name != "wuauclt.exe" or process.name != "svchost.exe" (if the update service is running as svchost)

• Scenario: Scheduled Backup Job Using Veeam
  Description: A backup job initiated by Veeam may temporarily download or execute files that match the rule.
  Filter/Exclusion: process.name != "vmrun.exe" or process.name != "veeam.exe" and check for process.parent.name == "vmware.exe"

• Scenario: Admin Task Using PowerShell for System Monitoring
  Description: An administrator may use PowerShell scripts (e.g., from Microsoft’s monitoring tools) that generate files with similar hashes.
  Filter/Exclusion: process.name != "powershell.exe" or check for process.parent.name == "taskeng.exe" (for scheduled tasks)

• Scenario: Legitimate File Download via Microsoft Defender ATP
  Description: Microsoft Defender ATP may download files for signature updates or threat intelligence, which could match the rule.
  Filter/Exclusion: process.name != "MsDefenderATP.exe" or check for process.parent.name == "svchost.exe" with known Defender services

• Scenario: Docker Image Pull from Trusted Registry
  Description: A Docker image pull from a trusted registry (e.g., Docker Hub) may include files that match the rule due to shared hash collisions.
  Filter/Exclusion: process.name != "dockerd.exe" or check for process.parent.name == "containerd.exe" and verify the registry source is trusted