Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW

Hunt Hypothesis

The rule detects potential exploitation by the Equation group using a specific library hosted at http://goo.gl/ivt8EW, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises from sophisticated adversaries.

YARA Rule

rule apt_equation_exploitlib_mutexes
{

    meta:
        copyright = "Kaspersky Lab"
        description = "Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW"
        version = "1.0"
        last_modified = "2015-02-16"
        reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"

    strings:
        $mz="MZ"
        $a1="prkMtx" wide
        $a2="cnFormSyncExFBC" wide
        $a3="cnFormVoidFBC" wide
        $a4="cnFormSyncExFBC"
        $a5="cnFormVoidFBC"

    condition:
        (($mz at 0) and any of ($a*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/
• Source Rule

False Positive Guidance

• Scenario: Legitimate use of certutil for certificate management
  Description: System administrators may use certutil to manage certificates, which can include operations similar to those seen in the Equation group’s exploitation library.
  Filter/Exclusion: process.exe contains "certutil" and process.parent.exe contains "certsrv.exe"

• Scenario: Scheduled job for system integrity checks
  Description: Automated tools like sfc /scannow or DISM may execute processes that resemble malicious activity, especially when running with elevated privileges.
  Filter/Exclusion: process.exe contains "sfc" or "dism" and process.parent.exe contains "services.exe"

• Scenario: Use of msiexec for legitimate software deployment
  Description: IT departments often use msiexec to deploy software via Group Policy or SCCM, which can trigger similar process behaviors as the Equation group’s library.
  Filter/Exclusion: process.exe contains "msiexec" and process.parent.exe contains "taskeng.exe" or "svchost.exe"

• Scenario: Administrative task involving regsvr32 for COM component registration
  Description: System administrators may use regsvr32 to register or unregister COM components, which can resemble the behavior of the Equation group’s exploitation library.
  Filter/Exclusion: process.exe contains "regsvr32" and process.parent.exe contains "explorer.exe" or "services.exe"

• Scenario: Use of powershell for routine system configuration
  Description: PowerShell scripts are commonly used for system configuration and maintenance, and may include commands that match the detection logic for the Equation group’s library.
  Filter/Exclusion: `process.exe contains “powershell” and process.parent.exe contains