Equation Group C2 Communication

Hunt Hypothesis

Adversaries using the Equation Group may establish C2 communication through custom protocols over HTTP/HTTPS to exfiltrate data and maintain command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential Equation Group activity and mitigate advanced persistent threats.

KQL Query

DeviceProcessEvents 
| where Timestamp > ago(7d)
| where (FolderPath endswith @"\rundll32.exe" and ProcessCommandLine endswith ",dll_u") 
        or ProcessCommandLine has " -export dll_u "
| top 100 by Timestamp desc

Analytic Rule Definition

id: 4f0fdeab-1d34-4c1e-9121-8ac800988de8
name: Equation Group C2 Communication
description: |
  Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_equationgroup_c2.yml.
  Questions via Twitter: @janvonkirchheim.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents 
  | where Timestamp > ago(7d)
  | where (FolderPath endswith @"\rundll32.exe" and ProcessCommandLine endswith ",dll_u") 
          or ProcessCommandLine has " -export dll_u "
  | top 100 by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Equation Group C2 Communication.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task Using schtasks.exe
Description: A legitimate scheduled task is configured to run a script or executable that communicates with a server, mimicking Equation Group C2 behavior.
Filter/Exclusion: Check for schtasks.exe process name and verify if the task is part of a known maintenance schedule (e.g., Windows Update, Disk Cleanup). Use process.parent_process to identify if the task was created by services.exe or taskhost.exe.
Scenario: Remote PowerShell Script Execution via powershell.exe
Description: A system administrator runs a remote PowerShell script to manage remote servers, which includes network communication that matches the signature of Equation Group C2 traffic.
Filter/Exclusion: Filter by process.name for powershell.exe and check for the presence of Microsoft.PowerShell in the command line. Look for Invoke-Command or Enter-PSSession in the command line arguments.
Scenario: Database Backup Job Using sqlcmd.exe
Description: A database backup job is configured to use sqlcmd.exe to export data to a remote server, which may include network communication that resembles Equation Group C2 behavior.
Filter/Exclusion: Filter by process.name for sqlcmd.exe and check for the presence of known backup scripts or scheduled jobs. Use process.parent_process to identify if the job was initiated by a known backup service or scheduler.
Scenario: Log Collection via logman.exe or wevtutil.exe
Description: A system administrator uses logman.exe or wevtutil.exe to collect and export logs to a central server, which may include network communication that matches the detection logic.
Filter/Exclusion: Filter by process.name