EquationDrug - Collector plugin for Volrec - msrstd.sys

Hunt Hypothesis

The hypothesis is that the detection of msrstd.sys, a collector plugin for EquationDrug, indicates potential adversary activity leveraging this component to exfiltrate data or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by advanced persistent threats.

YARA Rule

rule EquationDrug_VolRec_Driver 
{

    meta:
        description = "EquationDrug - Collector plugin for Volrec - msrstd.sys"
        author = "Florian Roth @4nc4p"
        reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
        date = "2015/03/11"
        hash = "ee2b504ad502dc3fed62d6483d93d9b1221cdd6c"

    strings:
        $s0 = "msrstd.sys" fullword wide
        $s1 = "msrstd.pdb" fullword ascii
        $s2 = "msrstd driver" fullword wide

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/
• Source Rule

False Positive Guidance

• Scenario: Microsoft System Resource Monitor (msrstd.sys) is used by the Windows Performance Monitor (PerfMon) to collect system resource data during routine system monitoring.
  Filter/Exclusion: Check for the presence of perfmon.exe or perfmon in the process tree, or filter by process name perfmon.exe.

• Scenario: A system administrator is using the Microsoft System Resource Monitor (msrstd.sys) to troubleshoot a performance issue, such as high CPU or memory usage.
  Filter/Exclusion: Filter by user account (e.g., Administrator or specific admin user), or check for the presence of taskmgr.exe or msconfig.exe in the process tree.

• Scenario: A scheduled task is running a script or application that temporarily increases system resource usage, which may trigger the collector plugin (msrstd.sys).
  Filter/Exclusion: Filter by the task name or schedule (e.g., Task Scheduler or schtasks.exe), or check for the presence of schtasks.exe in the process tree.

• Scenario: A third-party tool such as Windows Performance Analyzer (WPA) or Windows Assessment and Deployment Kit (ADK) is using msrstd.sys to collect system performance data.
  Filter/Exclusion: Check for the presence of wpa.exe, mmt.exe, or dism.exe in the process tree, or filter by the associated tool’s process name.

• Scenario: A system update or patching process (e.g., via Windows Update or Group Policy) temporarily increases resource usage, triggering the collector plugin.
  Filter/Exclusion: Filter by the presence of wuauclt.exe, msiexec.exe, or gpupdate.exe in the process tree, or check for system update-related events in