Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner

Hunt Hypothesis

The hunt hypothesis detects the potential use of the Auditcleaner tool, a leaked Equation Group hack tool, which may be used to clean audit logs and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify adversaries attempting to remove forensic evidence and obscure their presence within the environment.

YARA Rule

rule EquationGroup_Auditcleaner {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "8c172a60fa9e50f0df493bf5baeb7cc311baef327431526c47114335e0097626"
   strings:
      $x1 = "> /var/log/audit/audit.log; rm -f ." ascii
      $x2 = "Pastables to run on target:" ascii
      $x3 = "cp /var/log/audit/audit.log .tmp" ascii

      $l1 = "Here is the first good cron session from" fullword ascii
      $l2 = "No need to clean LOGIN lines." fullword ascii
   condition:
      ( filesize < 300KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as Auditcleaner, is executed by the system’s scheduled tasks to clean up audit logs.
  Filter/Exclusion: Exclude processes initiated by the Task Scheduler with the task name Auditcleaner or System Maintenance.

• Scenario: Security Software Cleanup Process
  Description: A security tool (e.g., Microsoft Defender, CrowdStrike, or Bitdefender) runs a cleanup process that includes the Auditcleaner tool as part of its malware removal or system sanitization routine.
  Filter/Exclusion: Exclude processes where the parent process is a known security tool (e.g., MsMpEng.exe, Csws.exe, or bdagent.exe).

• Scenario: Admin-Initiated Log Cleanup
  Description: A system administrator manually runs the Auditcleaner tool to clear out old audit logs and free up disk space.
  Filter/Exclusion: Exclude processes with a user context of a known admin account (e.g., Administrator, Domain Admins) and where the command line includes log cleanup parameters.

• Scenario: Third-Party Compliance Tool Execution
  Description: A third-party compliance or audit tool (e.g., LogRhythm, Splunk, or IBM QRadar) includes the Auditcleaner utility as part of its data processing pipeline.
  Filter/Exclusion: Exclude processes where the executable path includes a known third-party tool directory (e.g., C:\Program Files\LogRhythm\ or C:\Splunk\).

• Scenario: Antivirus Quarantine Cleanup
  Description: An antivirus tool (e.g., Kaspersky, ESET, or McAfee) runs a cleanup process that temporarily uses the Auditcleaner tool to remove quarant