The detection identifies the use of a specific cryptographic library associated with Equation group malware, indicating potential advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover hidden malware execution and potential lateral movement within their environment.
YARA Rule
rule apt_equation_cryptotable
{
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect the crypto library used in Equation group malware"
version = "1.0"
last_modified = "2015-02-16"
reference = "https://securelist.com/blog/"
strings:
$a={37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 4B 45 44 12 3C E2 0D 5C 1C 7B C4 FF D6 05 17 14 4F 03 74 1E 41 DA 8F 7D DE 7E 99 F1 35 AC B8 46 93 CE 23 82 07 EB 2B D4 72 71 40 F3 B0 F7 78 D7 4C D1 55 1A 39 83 18 FA E1 9A 56 B1 96 AB A6 30 C5 5F BE 0C 50 C1}
condition:
$a
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: System update or patching process using cryptographic tools
Description: A legitimate system update or patching process may use cryptographic libraries for secure communication or data integrity checks.
Filter/Exclusion: Check for processes associated with known update mechanisms (e.g., Windows Update, WSUS, Chocolatey, Scoop) or use a filter like process.name != "certutil.exe" or process.name != "certsrv.exe".
Scenario: Scheduled backup job using encryption for data protection
Description: Backup jobs often use encryption to protect data at rest or in transit, which may trigger the same cryptographic library detection.
Filter/Exclusion: Filter out processes related to backup tools (e.g., Veeam, VSS, wbadmin, rsync, tar with encryption flags) using a rule like process.name contains "backup" or process.name contains "rsync".
Scenario: Administrative task involving certificate management
Description: Admins may use tools like certutil.exe or certsrv.exe to manage certificates, which can involve cryptographic operations.
Filter/Exclusion: Exclude processes associated with certificate management by checking the command line or process name, e.g., process.name contains "certutil" or process.name contains "certsrv".
Scenario: Secure file transfer using encrypted protocols
Description: Tools like scp, sftp, or rsync over SSH may use cryptographic libraries, which could trigger the rule.
Filter/Exclusion: Filter out processes that use SSH-based protocols by checking the command line for ssh, scp, or sftp, e.g., process.command_line contains "ssh" or process.command_line contains "scp".
Scenario: Use of cryptographic libraries in development or testing environments