The detection identifies potential kernel-mode rootkit activity associated with the EquationDrug malware, specifically the msndsrv.sys driver, which may indicate stealthy persistence and privilege escalation capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that evade traditional detection methods.
YARA Rule
rule EquationDrug_KernelRootkit
{
meta:
description = "EquationDrug - Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys"
author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11"
hash = "597715224249e9fb77dc733b2e4d507f0cc41af6"
strings:
$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
$s1 = "Parmsndsrv.dbg" fullword ascii
$s2 = "\\Registry\\User\\CurrentUser\\" fullword wide
$s3 = "msndsrv.sys" fullword wide
$s5 = "\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Control\\Windows" fullword wide
$s6 = "\\Device\\%ws_%ws" fullword wide
$s7 = "\\DosDevices\\%ws" fullword wide
$s9 = "\\Device\\%ws" fullword wide
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 8 string patterns in its detection logic.
Scenario: Legitimate System Update or Patch Installation
Description: A system update or patch installation may involve the loading of msndsrv.sys as part of the Windows Update or other system service.
Filter/Exclusion: Check for the presence of Windows Update or Servicing Stack Update in the process or file context. Use a filter like:
(process.name == "wuauserv.exe") or (file.name == "WindowsUpdate.exe")Scenario: Antivirus or Endpoint Protection Software Loading msndsrv.sys
Description: Some security software may use or load msndsrv.sys as part of their kernel-level operations or for system monitoring.
Filter/Exclusion: Check for known security software vendors (e.g., Bitdefender, Kaspersky, McAfee) and their associated processes. Use a filter like:
(process.name == "bdagent.exe") or (process.name == "kavsvc.exe")Scenario: Scheduled Job or Task Scheduler Execution
Description: A scheduled task or job may trigger the loading of msndsrv.sys if it involves kernel-level operations or system management tasks.
Filter/Exclusion: Filter based on the presence of Task Scheduler or schtasks.exe in the process tree. Use a filter like:
(process.name == "schtasks.exe") or (process.name == "taskhost.exe")Scenario: System Management Mode (SMM) or Platform Firmware Update
Description: Firmware updates or system management mode (SMM) operations may involve the use of msndsrv.sys for low-level system control.
Filter/Exclusion: Check for firmware update tools or processes like `flashrom