EquationDrug - Filesystem filter driver – volrec.sys, scsi2mgr.sys

Hunt Hypothesis

The detection identifies potential adversary use of filesystem filter drivers like volrec.sys and scsi2mgr.sys, which are commonly associated with advanced persistent threats for persistence and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware activity that may evade traditional detection methods.

YARA Rule

rule EquationDrug_FileSystem_Filter 
{

    meta:
        description = "EquationDrug - Filesystem filter driver – volrec.sys, scsi2mgr.sys"
        author = "Florian Roth @4nc4p"
        reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
        date = "2015/03/11"
        hash = "57fa4a1abbf39f4899ea76543ebd3688dcc11e13"

    strings:
        $s0 = "volrec.sys" fullword wide
        $s1 = "volrec.pdb" fullword ascii
        $s2 = "Volume recognizer driver" fullword wide

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/
• Source Rule

False Positive Guidance

• Scenario: System backup or restore operation using Veeam Backup & Replication
  Filter/Exclusion: Check for presence of veeam.exe or VeeamBackup in the process tree, or filter by process name in the event log.

• Scenario: Scheduled disk cleanup or defragmentation using Disk Cleanup or Defragment and Optimize Drives
  Filter/Exclusion: Filter events where the process is cleanmgr.exe or defrag.exe, or check for the presence of Windows Resource Protection in the event description.

• Scenario: Administrative task involving Windows Storage Management or Disk Management
  Filter/Exclusion: Exclude processes related to diskmgmt.msc or storagemgmt.exe, or filter by user account (e.g., NT AUTHORITY\SYSTEM).

• Scenario: Use of Windows Sandbox or Hyper-V for testing or development
  Filter/Exclusion: Check for presence of svchost.exe with Windows Sandbox or Hyper-V services, or filter by process parent or command line arguments.

• Scenario: Legitimate use of volrec.sys by Windows Search or Indexing Service
  Filter/Exclusion: Exclude processes related to SearchIndexer.exe or Windows Search services, or filter by module name in the event log.