The Equation Group hack tool set is likely used by advanced adversaries to establish persistence and exfiltrate data within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term compromise and mitigate the risk of data theft or lateral movement.
YARA Rule
rule EquationGroup_curseroot_win2k_v_2_1_0 {
meta:
description = "Equation Group hack tool set"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-09"
hash1 = "a1637948ed6ebbd2e582eb99df0c06b27a77c01ad1779b3d84c65953ca2cb603"
strings:
$s1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/%s,%s" fullword ascii
$op0 = { c7 44 24 04 ff ff ff ff 89 04 24 e8 46 65 01 00 } /* Opcode */
$op1 = { 8d 5d 88 89 1c 24 e8 24 1b 01 00 be ff ff ff ff } /* Opcode */
$op2 = { d3 e0 48 e9 0c ff ff ff 8b 45 } /* Opcode */
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and $s1 and 2 of ($op*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate System Maintenance Task
Description: A system administrator is running a scheduled maintenance job that uses the Equation Group tool (e.g., eqgrp.exe) to clean up temporary files or perform disk defragmentation.
Filter/Exclusion: Exclude processes initiated by scheduled tasks with known maintenance scripts or by the local system account.
Scenario: Security Software Update
Description: A security tool or endpoint protection software (e.g., Microsoft Defender, CrowdStrike) is using a tool with a similar name to the Equation Group tool as part of an update or integrity check.
Filter/Exclusion: Exclude processes from known security vendors or those running under the Windows Defender or Microsoft Antimalware service.
Scenario: Network Monitoring Tool Usage
Description: A network monitoring or packet capture tool (e.g., Wireshark, tcpdump) is using a tool with a similar name to the Equation Group tool for packet analysis or logging.
Filter/Exclusion: Exclude processes associated with network analysis tools or running under the NetworkService account.
Scenario: Legacy Software Compatibility Check
Description: A legacy application or compatibility tool is using a tool with a similar name to the Equation Group tool to check for system compatibility or run diagnostics.
Filter/Exclusion: Exclude processes from known legacy software vendors or those running under a non-administrative user account.
Scenario: Custom Script or Automation Tool
Description: A custom script or automation tool (e.g., PowerShell, Python) is using a tool with a similar name to the Equation Group tool for system configuration or deployment.
Filter/Exclusion: Exclude processes initiated by user scripts or those running under a non-administrative user account with no known malicious intent.