Equation Group hack tool leaked by ShadowBrokers- file cmsd

Hunt Hypothesis

The detection identifies potential adversary use of the Equation Group hack tool ‘cmsd’ leaked by ShadowBrokers, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise from sophisticated cyber adversaries.

YARA Rule

rule EquationGroup_cmsd {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file cmsd"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "634c50614e1f5f132f49ae204c4a28f62a32a39a3446084db5b0b49b564034b8"
   strings:
      $x1 = "usage: %s address [-t][-s|-c command] [-p port] [-v 5|6|7]" fullword ascii
      $x2 = "error: not vulnerable" fullword ascii

      $s1 = "port=%d connected! " fullword ascii
      $s2 = "xxx.XXXXXX" fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 30KB and 1 of ($x*) ) or ( 2 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate System File Access
  Description: A system administrator or user accesses the cmsd file as part of routine system maintenance or troubleshooting.
  Filter/Exclusion: process.parent_process_name == "explorer.exe" OR process.parent_process_name == "taskmgr.exe" OR process.parent_process_name == "cmd.exe" AND process.command_line LIKE '%cmsd%'

• Scenario: Scheduled Job Execution
  Description: A legitimate scheduled task or job runs a script that interacts with the cmsd file, such as log rotation or configuration management.
  Filter/Exclusion: process.parent_process_name == "schtasks.exe" OR process.parent_process_name == "at.exe" AND process.command_line LIKE '%cmsd%'

• Scenario: Antivirus or Security Tool Scanning
  Description: An endpoint protection tool or SIEM system scans the cmsd file during a routine integrity check or malware scan.
  Filter/Exclusion: process.parent_process_name == "mpsvc.exe" OR process.parent_process_name == "msseces.exe" AND process.command_line LIKE '%cmsd%'

• Scenario: Software Update or Patch Deployment
  Description: A patch or update process from a legitimate vendor (e.g., Microsoft, VMware) interacts with the cmsd file during deployment.
  Filter/Exclusion: process.parent_process_name == "msiexec.exe" OR process.parent_process_name == "setup.exe" AND process.command_line LIKE '%cmsd%'

• Scenario: Network Configuration Tool Usage
  Description: A network configuration tool (e.g., netsh, ipconfig, or third-party network management software) accesses the cmsd file for configuration purposes.
  Filter/Exclusion: `process.parent_process_name == “netsh.exe” OR process