EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys

Hunt Hypothesis

An adversary is using a backdoor leveraging network sniffer components like mstcp32.sys and fat32.sys to exfiltrate data covertly. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration attempts and mitigate advanced persistent threats.

YARA Rule

rule EquationDrug_NetworkSniffer1
{

    meta:
        description = "EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys"
        author = "Florian Roth @4nc4p"
        reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
        date = "2015/03/11"
        hash = "26e787997a338d8111d96c9a4c103cf8ff0201ce"

    strings:
        $s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
        $s1 = "\\Registry\\User\\CurrentUser\\" fullword wide
        $s3 = "sys\\mstcp32.dbg" fullword ascii
        $s7 = "mstcp32.sys" fullword wide
        $s8 = "p32.sys" fullword ascii
        $s9 = "\\Device\\%ws_%ws" fullword wide
        $s10 = "\\DosDevices\\%ws" fullword wide
        $s11 = "\\Device\\%ws" fullword wide
    
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

References

• http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/
• Source Rule

False Positive Guidance

• Scenario: Legitimate use of mstcp32.sys by a network diagnostic tool such as Wireshark or Microsoft Network Monitor
  Filter/Exclusion: Exclude processes where the parent process is Wireshark.exe or ntoskrnl.exe (kernel), or filter by process name mstcp32.sys with parent process Wireshark.exe.

• Scenario: Scheduled system update or patching task that temporarily loads fat32.sys or mstcp32.sys as part of a driver update
  Filter/Exclusion: Exclude events where the process is associated with a scheduled task named WindowsUpdate or PatchManager, or filter by process name with parent process svchost.exe or taskeng.exe.

• Scenario: Use of Microsoft Sysinternals tools such as Procmon or Process Explorer, which may load mstcp32.sys or similar drivers for monitoring purposes
  Filter/Exclusion: Exclude processes where the parent is procmon.exe or process.exe, or filter by process name with parent process explorer.exe or svchost.exe.

• Scenario: Antivirus or endpoint protection software (e.g., Kaspersky, Bitdefender) that dynamically loads system drivers for scanning purposes
  Filter/Exclusion: Exclude processes where the parent is an antivirus service (e.g., kavsvc.exe, bdssvc.exe) or filter by process name with parent process svchost.exe and known AV service names.

• Scenario: Virtualization or containerization tools (e.g., VMware Tools, Hyper-V, Docker) that may load system drivers like mstcp32.sys for network interface management
  Filter/Exclusion: Exclude processes where the parent