Rule to detect the EquationLaser malware

Hunt Hypothesis

EquationLaser malware is likely being executed in the environment through suspicious process creation or network activity indicative of its known behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term persistence and data exfiltration risks.

YARA Rule

rule apt_equation_equationlaser_runtimeclasses
{

    meta:
        copyright = "Kaspersky Lab"
        description = "Rule to detect the EquationLaser malware"
        version = "1.0"
        last_modified = "2015-02-16"
        reference = "https://securelist.com/blog/"

    strings:
        $a1="?a73957838_2@@YAXXZ"
        $a2="?a84884@@YAXXZ"
        $a3="?b823838_9839@@YAXXZ"
        $a4="?e747383_94@@YAXXZ"
        $a5="?e83834@@YAXXZ"
        $a6="?e929348_827@@YAXXZ"

    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• https://securelist.com/blog/
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup or disk defragmentation job, may trigger the rule due to similar process behavior.
  Filter/Exclusion: Exclude processes associated with schtasks.exe where the task name contains “Cleanup”, “Defrag”, or “DiskCheck”.

• Scenario: Windows Update or Patching Process
  Description: The Windows Update service (wuauclt.exe) or patching tools like wusa.exe may exhibit behavior similar to EquationLaser, such as file modifications or registry changes.
  Filter/Exclusion: Exclude processes where the command line includes wuauclt.exe or wusa.exe and the file path is within the Windows system directory (e.g., C:\Windows\System32\).

• Scenario: Antivirus or Endpoint Protection Scan
  Description: Antivirus tools like Microsoft Defender or Kaspersky may perform deep scans that involve file access or modification, which could be mistaken for EquationLaser activity.
  Filter/Exclusion: Exclude processes with the full path containing “Microsoft Defender” or “Kaspersky” and filter by process names like MsMpEng.exe, KavService.exe, or KavService64.exe.

• Scenario: Admin-Initiated File Integrity Monitoring (FIM)
  Description: An admin might use a tool like Microsoft FIM or Tripwire to monitor file changes, which could trigger the same detection logic as EquationLaser.
  Filter/Exclusion: Exclude processes with the command line containing “FIM” or “Tripwire” and filter by known FIM tool process names.

• Scenario: PowerShell Script for Log Analysis or Compliance
  Description: A legitimate PowerShell