Equation Group Malware - Grey Fish

Hunt Hypothesis

The hunt hypothesis detects potential Equation Group malware activity associated with the Grey Fish variant, which may indicate advanced persistent threat (APT) behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity that could lead to data exfiltration or system compromise.

YARA Rule

rule Equation_Kaspersky_GreyFishInstaller
{

    meta:
        description = "Equation Group Malware - Grey Fish"
        author = "Florian Roth"
        reference = "http://goo.gl/ivt8EW"
        date = "2015/02/16"
        hash = "58d15d1581f32f36542f3e9fb4b1fc84d2a6ba35"

    strings:
        $s0 = "DOGROUND.exe" fullword wide
        $s1 = "Windows Configuration Services" fullword wide
        $s2 = "GetMappedFilenameW" fullword ascii

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• http://goo.gl/ivt8EW
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that uses curl or wget to download updates from an internal repository.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with a known internal update URL pattern.

• Scenario: Admin Performing Remote Code Execution (RCE) via PowerShell
  Description: An administrator uses PowerShell to execute a remote script for system configuration, which may resemble malicious behavior.
  Filter/Exclusion: Exclude processes initiated by powershell.exe with a command line containing Invoke-Command or Enter-PSSession and originating from a trusted IP range.

• Scenario: Software Update Deployment via SCCM
  Description: A Software Center or Configuration Manager (SCCM) update deployment triggers a script that uses certutil or certreq for certificate management.
  Filter/Exclusion: Exclude processes with certutil.exe or certreq.exe and associated with SCCM or Microsoft Endpoint Manager (MEM).

• Scenario: Database Backup Job Using SQLCMD
  Description: A database backup job runs sqlcmd to export data to a remote server, which may trigger the rule due to network activity.
  Filter/Exclusion: Exclude processes with sqlcmd.exe and associated with a known backup job name or scheduled task.

• Scenario: Security Tool Performing Network Scanning
  Description: A security tool like Nmap or Masscan is used for internal network discovery, which may be flagged due to its network activity.
  Filter/Exclusion: Exclude processes with nmap.exe or masscan.exe and associated with a known internal security tool or IP range.