EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll

Hunt Hypothesis

The detection identifies potential adversary use of mscfg32.dll and svchost32.dll as part of a platform orchestrator component associated with the EquationDrug malware. SOC teams should proactively hunt for this behavior to detect early-stage adversary activity and prevent lateral movement within Azure Sentinel environments.

YARA Rule

rule EquationDrug_PlatformOrchestrator 
{

    meta:
        description = "EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll"
        author = "Florian Roth @4nc4p"
        reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
        date = "2015/03/11"
        hash = "febc4f30786db7804008dc9bc1cebdc26993e240"

    strings:
        $s0 = "SERVICES.EXE" fullword wide
        $s1 = "\\command.com" fullword wide
        $s2 = "Microsoft(R) Windows (TM) Operating System" fullword wide
        $s3 = "LSASS.EXE" fullword wide
        $s4 = "Windows Configuration Services" fullword wide
        $s8 = "unilay.dll" fullword ascii

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/
• Source Rule

False Positive Guidance

• Scenario: Legitimate system update or patching process using mscfg32.dll
  Filter/Exclusion: Check for presence of mscfg32.dll in known system directories (e.g., C:\Windows\System32) and correlate with Windows Update or Microsoft Update events.

• Scenario: Scheduled task running svchost.exe with svchost32.dll as part of normal system services
  Filter/Exclusion: Filter by process parent process (e.g., services.exe) and check if the task is registered in Task Scheduler with a known, legitimate name.

• Scenario: Antivirus or endpoint protection software using svchost.exe to run its own modules
  Filter/Exclusion: Check for process command line arguments containing known AV product names (e.g., Windows Defender, McAfee, Kaspersky) or use a whitelist of trusted security software.

• Scenario: System configuration tool (e.g., msconfig.exe) being used by an administrator to modify startup settings
  Filter/Exclusion: Filter by user context (e.g., Administrators group) and check for command line arguments indicating legitimate use of msconfig.exe.

• Scenario: Microsoft Configuration Tool (mscfg32.dll) used in a corporate deployment or imaging process
  Filter/Exclusion: Correlate with imaging or deployment tools (e.g., Microsoft Deployment Toolkit, SCCM) and check for presence in known deployment directories.