The detection identifies potential exploitation of the Equation Group hack tool, calserver, which may indicate unauthorized access or lateral movement within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threat (APT) activity linked to known malicious tooling.
YARA Rule
rule EquationGroup_calserver {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file calserver"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "048625e9a0ca46d7fe221e262c8dd05e7a5339990ffae2fb65a9b0d705ad6099"
strings:
$x1 = "usage: %s <host> <port> e <contents of a local file to be executed on target>" fullword ascii
$x2 = "Writing your %s to target." fullword ascii
$x3 = "(e)xploit, (r)ead, (m)ove and then write, (w)rite" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 30KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate scheduled job using calserver tool
Description: A system administrator uses the calserver tool (a legitimate system utility for calendar server management) as part of a scheduled job to synchronize calendar data across servers.
Filter/Exclusion: Exclude processes where the calserver executable is launched by a known system service or scheduled task with a valid user context (e.g., system, administrator, or a service account with documented usage).
Scenario: Security tool or SIEM integration using calserver
Description: A security information and event management (SIEM) system or log analysis tool uses a custom script or module named calserver to process calendar-based event logs for correlation.
Filter/Exclusion: Exclude processes where the calserver executable is associated with a known SIEM tool or log processing framework, or where the process is initiated from a trusted script directory.
Scenario: Admin task to configure calendar services
Description: A system administrator manually runs the calserver tool to configure or troubleshoot calendar services on a server, such as setting up time zones or syncing with external calendar systems.
Filter/Exclusion: Exclude processes where the calserver executable is launched by an administrator account with a documented task history, or where the command line includes known admin-related flags or parameters.
Scenario: Legacy application using calserver for internal scheduling
Description: An older internal application or legacy system uses the calserver tool for internal scheduling tasks, such as triggering reports or maintenance scripts based on calendar events.
Filter/Exclusion: Exclude processes where the calserver executable is part of a known legacy application or where the process is initiated from a specific application directory or with a known internal command-line argument.
**Scenario: False positive from a third-party tool