Equation Group hack tool leaked by ShadowBrokers- file cryptTool

Hunt Hypothesis

The cryptTool file detected by the rule is associated with the Equation Group and may indicate the presence of advanced persistent threat activity leveraging stolen hacking tools. SOC teams should proactively hunt for this artifact in Azure Sentinel to identify potential exploitation of leaked tools by adversaries with access to sophisticated malware capabilities.

YARA Rule

rule EquationGroup_cryptTool {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file cryptTool"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "96947ad30a2ab15ca5ef53ba8969b9d9a89c48a403e8b22dd5698145ac6695d2"
   strings:
      $s1 = "The encryption key is " fullword ascii
      $s2 = "___tempFile2.out" fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 200KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate Use of cryptTool by Security Team
  Description: A security analyst is using the cryptTool to analyze encrypted files as part of a malware analysis or incident response.
  Filter/Exclusion: process.name contains “cryptTool” AND user.name is a known security team member OR process.parent.name is a trusted analysis tool (e.g., idaq.exe, wireshark.exe)

• Scenario: Scheduled Job for Data Encryption
  Description: A scheduled job runs a script that uses cryptTool to encrypt sensitive data at rest using a company-approved encryption protocol.
  Filter/Exclusion: process.name contains “cryptTool” AND process.command_line contains “encrypt” OR process.parent.name is a known job scheduler (e.g., schtasks.exe, task scheduler)

• Scenario: System File Integrity Check Using cryptTool
  Description: A system administrator is running a script that uses cryptTool to verify the integrity of system files using cryptographic hashes.
  Filter/Exclusion: process.name contains “cryptTool” AND process.command_line contains “verify” OR process.parent.name is a known integrity check tool (e.g., sysinternals.exe, Process Monitor)

• Scenario: Backup Process Encrypting Data
  Description: A backup process uses cryptTool to encrypt backup files before storing them on a secure storage device.
  Filter/Exclusion: process.name contains “cryptTool” AND process.command_line contains “backup” OR process.parent.name is a known backup tool (e.g., Veeam.exe, Acronis.exe)

• Scenario: Admin Task for Secure Communication
  Description: An administrator is using