EquationDrug - Network-sniffer/patcher - atmdkdrv.sys

Hunt Hypothesis

The detection identifies potential network-sniffer or patcher activity associated with the atmdkdrv.sys driver, which may indicate the presence of the EquationDrug malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration or lateral movement.

YARA Rule

rule EquationDrug_NetworkSniffer5 
{

    meta:
        description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys"
        author = "Florian Roth @4nc4p"
        reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
        date = "2015/03/11"
        hash = "09399b9bd600d4516db37307a457bc55eedcbd17"

    strings:
        $s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
        $s1 = "\\Registry\\User\\CurrentUser\\" fullword wide
        $s2 = "atmdkdrv.sys" fullword wide
        $s4 = "\\Device\\%ws_%ws" fullword wide
        $s5 = "\\DosDevices\\%ws" fullword wide
        $s6 = "\\Device\\%ws" fullword wide

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/
• Source Rule

False Positive Guidance

• Scenario: System update or patch deployment using Microsoft’s Windows Update or WSUS
  Filter/Exclusion: Check for EventID=19 or EventID=20 from Microsoft-Windows-WindowsUpdate source, or filter by ProcessName containing wusa.exe or wuauclt.exe.

• Scenario: Legitimate use of atmdkdrv.sys by network monitoring tools like Wireshark or Microsoft Network Monitor
  Filter/Exclusion: Filter by ProcessName containing wireshark.exe, nmm.exe, or ntm.exe, or check for known benign processes associated with network analysis tools.

• Scenario: Scheduled system maintenance task using Task Scheduler to run disk cleanup or defragmentation
  Filter/Exclusion: Filter by ProcessName containing cleanmgr.exe or defrag.exe, or check for TaskName matching known system maintenance tasks.

• Scenario: Antivirus or endpoint protection software performing a deep scan, such as Bitdefender or Kaspersky
  Filter/Exclusion: Filter by ProcessName containing bdss.exe, kavsvc.exe, or avgnt.exe, or check for ProductName matching known security software.

• Scenario: Remote desktop or administrative task executed via PowerShell or Remote Server Administration Tools (RSAT)
  Filter/Exclusion: Filter by ProcessName containing powershell.exe or mstsc.exe, or check for User field indicating a domain admin or service account.