The Equation Group hack tool set is associated with advanced persistent threats and may indicate the presence of sophisticated malware or espionage activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term compromise and mitigate advanced threats before they escalate.
YARA Rule
rule EquationGroup_charm_saver_win2k_v_2_0_0 {
meta:
description = "Equation Group hack tool set"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-09"
hash1 = "0f7936a37482532a8ba5df4112643ed7579dd0e59181bfca9c641b9ba0a9912f"
strings:
$s2 = "0123456789abcdefABCEDF:" fullword ascii
$op0 = { b8 ff ff ff ff 7f 65 eb 30 8b 55 0c 89 d7 0f b6 } /* Opcode */
$op2 = { ba ff ff ff ff 83 c4 6c 89 d0 5b 5e 5f 5d c3 90 } /* Opcode */
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate Use of msiexec.exe for Software Installation
Description: The Equation Group toolset may resemble legitimate Windows installers using msiexec.exe.
Filter/Exclusion: Exclude processes where msiexec.exe is used with valid MSI package paths or signed by trusted publishers.
Scenario: Scheduled System Maintenance Tasks
Description: The rule may trigger due to scheduled tasks that use similar command-line arguments to Equation Group tools.
Filter/Exclusion: Exclude processes associated with schtasks.exe or tasks managed by the Task Scheduler with known legitimate command-line arguments.
Scenario: Admin Task for System Imaging or Backup
Description: Tools like wbadmin.exe or vssadmin.exe may be used in imaging or backup operations, which could match the detection logic.
Filter/Exclusion: Exclude processes initiated by wbadmin.exe or vssadmin.exe during known backup or imaging operations.
Scenario: Use of reg.exe for Registry Management
Description: The Equation Group detection may falsely flag legitimate registry modifications using reg.exe for configuration management.
Filter/Exclusion: Exclude processes where reg.exe is used with known legitimate registry keys or by administrators during routine configuration changes.
Scenario: PowerShell Script for System Configuration
Description: PowerShell scripts may use similar command structures to Equation Group tools, leading to false positives.
Filter/Exclusion: Exclude processes initiated by powershell.exe with scripts located in known trusted directories or signed by enterprise-approved publishers.