Rule to detect Equation group's keyword in executable file

Hunt Hypothesis

The rule detects potential indicators of Equation group activity by identifying its known keyword within executable files, which may signal the presence of malicious code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be leveraging Equation group tactics.

YARA Rule

rule apt_equation_keyword 
{

    meta:
        description = "Rule to detect Equation group's keyword in executable file"
        author = "Florian Roth @4nc4p"
        last_modified = "2015-09-26"
        reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"

    strings:
         $a1 = "Backsnarf_AB25" wide
         $a2 = "Backsnarf_AB25" ascii

    condition:
         uint16(0) == 0x5a4d and 1 of ($a*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/
• Source Rule

False Positive Guidance

• Scenario: Legitimate software update process using msiexec.exe
  Description: A scheduled task runs msiexec.exe to install a legitimate software update, which may contain strings similar to Equation group keywords.
  Filter/Exclusion: process.parent_process == "Task Scheduler" or process.name == "msiexec.exe" and process.parent_process != "explorer.exe"

• Scenario: System file integrity check using sfc.exe or dism.exe
  Description: During a system file check, sfc.exe or dism.exe may scan files and temporarily contain strings that match Equation group keywords.
  Filter/Exclusion: process.name in ("sfc.exe", "dism.exe") or process.parent_process == "services.exe"

• Scenario: Administrative task using PowerShell.exe for log cleanup
  Description: An admin uses PowerShell to clean up log files, and the script may include strings that resemble Equation group keywords.
  Filter/Exclusion: process.name == "PowerShell.exe" and process.parent_process == "explorer.exe" or process.command_line contains "log cleanup"

• Scenario: Antivirus or endpoint protection tool scanning files
  Description: A legitimate antivirus tool like Kaspersky, Bitdefender, or Malwarebytes may scan files and include strings that match Equation group keywords during analysis.
  Filter/Exclusion: process.name in ("KavStub.exe", "mbam.exe", "kav64.exe") or process.parent_process == "svchost.exe"

• Scenario: Development environment using devenv.exe or Visual Studio
  Description: A developer uses Visual Studio or devenv.exe to compile or debug code, and the project files or build