EquationDrug - Network Sniffer - tdip.sys

Hunt Hypothesis

The detection identifies potential network sniffing activity associated with the EquationDrug malware using the tdip.sys driver, which may indicate data exfiltration or network monitoring. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage malware persistence and potential data leakage in their environment.

YARA Rule

rule EquationDrug_NetworkSniffer3 
{

    meta:
        description = "EquationDrug - Network Sniffer - tdip.sys"
        author = "Florian Roth @4nc4p"
        reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
        date = "2015/03/11"
        hash = "14599516381a9646cd978cf962c4f92386371040"

    strings:
        $s0 = "Corporation. All rights reserved." fullword wide
        $s1 = "IP Transport Driver" fullword wide
        $s2 = "tdip.sys" fullword wide
        $s3 = "tdip.pdb" fullword ascii

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Wireshark to perform a legitimate network analysis task.
  Filter/Exclusion: Check for the presence of wireshark.exe in the process tree or filter by process name in the detection rule.

• Scenario: A scheduled job runs PowerShell scripts that use netsh to configure network interfaces.
  Filter/Exclusion: Exclude processes with powershell.exe or include a filter for netsh commands in the rule.

• Scenario: A security tool like Microsoft Defender ATP is performing a network scan to detect malware.
  Filter/Exclusion: Add an exclusion for Microsoft Defender ATP processes or filter by the process name MsDefenderATP.exe.

• Scenario: A legitimate Windows Update process is using tdip.sys to communicate with the update server.
  Filter/Exclusion: Exclude processes related to wuauclt.exe or filter by the parent process name during the detection.

• Scenario: A remote desktop session is being used to transfer files, and the network traffic is being captured by a legitimate monitoring tool.
  Filter/Exclusion: Filter by the presence of mstsc.exe or include a condition for RDP-related traffic in the rule.