EquationDrug - Network Sniffer - tdip.sys

Hunt Hypothesis

The detection identifies potential network sniffing activity associated with the EquationDrug malware leveraging the tdip.sys driver, which may indicate data exfiltration or network monitoring. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage malware persistence and mitigate potential data loss or network compromise.

YARA Rule

rule EquationDrug_NetworkSniffer2 
{

    meta:
        description = "EquationDrug - Network Sniffer - tdip.sys"
        author = "Florian Roth @4nc4p"
        reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
        date = "2015/03/11"
        hash = "7e3cd36875c0e5ccb076eb74855d627ae8d4627f"

    strings:
        $s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
        $s1 = "IP Transport Driver" fullword wide
        $s2 = "tdip.sys" fullword wide
        $s3 = "sys\\tdip.dbg" fullword ascii
        $s4 = "dip.sys" fullword ascii
        $s5 = "\\Device\\%ws_%ws" fullword wide
        $s6 = "\\DosDevices\\%ws" fullword wide
        $s7 = "\\Device\\%ws" fullword wide

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

References

• http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/
• Source Rule

False Positive Guidance

• Scenario: Legitimate Network Traffic Analysis Tool Usage
  Description: A security analyst is using Wireshark or tcpdump to capture and analyze network traffic for troubleshooting or compliance purposes.
  Filter/Exclusion: Check for process names like wireshark.exe, tcpdump.exe, or tshark.exe in the event source. Exclude processes running from user directories or non-system paths.

• Scenario: Scheduled System Maintenance Task
  Description: A Windows Task Scheduler job is configured to run a system diagnostic or cleanup tool that uses tdip.sys for network monitoring as part of its routine.
  Filter/Exclusion: Filter events where the process is associated with a scheduled task (e.g., schtasks.exe or Task Scheduler service) or where the parent process is a known system maintenance tool.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A Microsoft Defender or Kaspersky scan is using tdip.sys as part of its network inspection to detect malware or suspicious activity.
  Filter/Exclusion: Exclude processes that are part of the antivirus/endpoint protection suite (e.g., MsMpEng.exe, KavService.exe, or KavService64.exe).

• Scenario: Remote Management Tool Communication
  Description: A Microsoft Remote Desktop Services (RDS) or TeamViewer session is establishing a network connection that triggers the rule due to tdip.sys being involved in the communication.
  Filter/Exclusion: Filter events where the source IP is a known internal IP range or where the process is associated with a remote management tool (e.g., mstsc.exe, TeamViewer.exe).

• Scenario: Virtualization or Container Network Monitoring
  Description: A Hyper-V