Equation Group hack tool set

Hunt Hypothesis

The Equation Group hack tool set is associated with advanced persistent threats and may indicate the presence of sophisticated malware or covert data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term adversary presence and mitigate advanced threats before they escalate.

YARA Rule

rule EquationGroup_cursehelper_win2k_i686_v_2_2_0 {
   meta:
      description = "Equation Group hack tool set"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-09"
      hash1 = "5ac6fde8a06f4ade10d672e60e92ffbf78c4e8db6b5152e23171f6f53af0bfe1"
   strings:
      $s1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/{}" fullword ascii

      $op1 = { 8d b5 48 ff ff ff 89 34 24 e8 56 2a 00 00 c7 44 } /* Opcode */
      $op2 = { e9 a2 f2 ff ff ff 85 b4 fe ff ff 8b 95 a8 fe ff } /* Opcode */
   condition:
      ( uint16(0) == 0x5a4d and filesize < 500KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate use of msiexec.exe for installing enterprise software
  Filter/Exclusion: Check the command line arguments for known legitimate package installers (e.g., msiexec /i "software.msi"), and exclude processes with valid digital signatures from trusted vendors.

• Scenario: Scheduled job running reg.exe to modify registry settings for system configuration
  Filter/Exclusion: Exclude processes running under a known system account (e.g., SYSTEM) or with a command line that includes valid registry paths (e.g., reg add HKLM\Software\...).

• Scenario: Admin task using certutil.exe to import a trusted root certificate
  Filter/Exclusion: Exclude processes where certutil.exe is used with valid certificate paths and signed by a trusted CA, and where the user is a domain admin with elevated privileges.

• Scenario: Use of powershell.exe for routine system monitoring or log analysis
  Filter/Exclusion: Exclude processes where PowerShell scripts are executed from known enterprise monitoring tools (e.g., PowerShell.exe -File "C:\Tools\Monitor.ps1") and where the script is signed by a trusted enterprise certificate.

• Scenario: Deployment of a legitimate security tool using msiexec.exe or setup.exe
  Filter/Exclusion: Exclude processes where the installer is from a known security vendor (e.g., Symantec, McAfee, Kaspersky) and the command line matches known deployment scripts.