The detection identifies potential exploitation of the Equation Group hack tool, cmsex, which may indicate adversary use of leaked advanced persistent threat capabilities. SOC teams should proactively hunt for this behavior to identify and mitigate potential advanced persistent threat activity in their Azure Sentinel environment.
YARA Rule
rule EquationGroup_cmsex {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file cmsex"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "2d8ae842e7b16172599f061b5b1f223386684a7482e87feeb47a38a3f011b810"
strings:
$x1 = "Usage: %s -i <ip_addr/hostname> -c <command> -T <target_type> (-u <port> | -t <port>) " fullword ascii
$x2 = "-i target ip address / hostname " fullword ascii
$x3 = "Note: Choosing the correct target type is a bit of guesswork." fullword ascii
$x4 = "Solaris rpc.cmsd remote root exploit" fullword ascii
$x5 = "If one choice fails, you may want to try another." fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 50KB and 1 of ($x*) ) or ( 2 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Legitimate System File Access
Description: A system administrator or user accesses the cmsex file as part of a routine system maintenance or troubleshooting task.
Filter/Exclusion: Exclude processes where the file path contains C:\Windows\System32\cmsex or where the process is associated with svchost.exe or explorer.exe.
Scenario: Scheduled Job Execution
Description: A scheduled task or job (e.g., using schtasks.exe) runs a script or executable that interacts with the cmsex file as part of a legitimate automation process.
Filter/Exclusion: Exclude events where the process is initiated by schtasks.exe or where the command line includes --scheduled-job or similar flags.
Scenario: Software Update or Patch Deployment
Description: A patch or update from a legitimate vendor (e.g., Microsoft, Adobe) includes a file named cmsex as part of a software update or configuration package.
Filter/Exclusion: Exclude processes where the file is located in a known update directory (e.g., C:\Windows\Temp\ or C:\Program Files\Microsoft\) or where the process is initiated by msiexec.exe.
Scenario: File Integrity Monitoring Tool
Description: A file integrity monitoring (FIM) tool or endpoint detection and response (EDR) system checks the cmsex file as part of its baseline configuration.
Filter/Exclusion: Exclude events where the process is associated with a known FIM/EDR tool (e.g., Microsoft Monitoring Agent, Sysmon, or CrowdStrike).
Scenario: Malware Analysis or Forensic Investigation
Description: A security analyst or malware researcher is analyzing the cmsex file as part of