Equation Group hack tool set

Hunt Hypothesis

The Equation Group hack tool set is likely used by advanced adversaries to establish persistent access and exfiltrate data through compromised Azure environments. SOC teams should proactively hunt for this behavior to identify and mitigate potential long-term threats and data breaches.

YARA Rule

rule EquationGroup_curseflower_mswin32_v_1_0_0 {
   meta:
      description = "Equation Group hack tool set"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-09"
      hash1 = "fdc452629ff7befe02adea3a135c3744d8585af890a4301b2a10a817e48c5cbf"
   strings:
      $s1 = "<pVt,<et(<st$<ct$<nt" fullword ascii

      $op1 = { 6a 04 83 c0 08 6a 01 50 e8 10 34 00 00 83 c4 10 } /* Opcode */
   condition:
      ( uint16(0) == 0x5a4d and filesize < 300KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate use of msiexec.exe for software deployment
  Description: A system administrator uses msiexec.exe to deploy a legitimate software update or application.
  Filter/Exclusion: Check the command line arguments for known deployment packages (e.g., msiexec /i "C:\temp\update.msi"), and exclude processes initiated by a trusted user or from a known deployment share.

• Scenario: Scheduled job running reg.exe to modify registry settings
  Description: A scheduled task uses reg.exe to update registry keys as part of a routine configuration change or patching process.
  Filter/Exclusion: Filter processes initiated by the System or a trusted service account, and exclude modifications to known legitimate registry keys (e.g., HKLM\Software\Microsoft\Windows\CurrentVersion\Run).

• Scenario: Use of certutil.exe to import a trusted certificate
  Description: An IT administrator uses certutil.exe to import a trusted certificate into the local machine’s certificate store.
  Filter/Exclusion: Exclude processes where the certificate file is located in a known trusted directory (e.g., C:\Program Files\MyCert.pfx) and where the user is a domain admin.

• Scenario: PowerShell script using certutil.exe for certificate management
  Description: A PowerShell script runs certutil.exe to manage certificates as part of a script-based deployment or configuration task.
  Filter/Exclusion: Exclude processes initiated by a trusted script or user, and filter for known script paths (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).

• Scenario: Use of msiexec.exe for installing a legitimate enterprise application
  Description: A user or admin installs a company