Equation Group hack tool set

Hunt Hypothesis

The Equation Group hack tool set is likely used by advanced adversaries to establish persistent access and exfiltrate data within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term compromise and mitigate data theft risks.

YARA Rule

rule EquationGroup_cursesleepy_mswin32_v_1_0_0 {
   meta:
      description = "Equation Group hack tool set"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-09"
      hash1 = "6293439b4b49e94f923c76e302f5fc437023c91e063e67877d22333f05a24352"
   strings:
      $s1 = "A}%j,R" fullword ascii
      $op1 = { a1 e0 43 41 00 8b 0d 34 44 41 00 6b c0 } /* Opcode */
      $op2 = { 33 C0 F3 A6 74 14 8B 5D 08 8B 4B 34 50 } /* Opcode */
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and 2 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job using msiexec.exe for software deployment
  Filter/Exclusion: Check the command line arguments for msiexec.exe and exclude any that match known legitimate deployment packages (e.g., msiexec /i "C:\temp\software.msi").

• Scenario: System update using wuauclt.exe (Windows Update Agent)
  Filter/Exclusion: Exclude processes initiated by wuauclt.exe with command lines related to Windows Update, such as wuauclt.exe /detectnow.

• Scenario: Admin task using taskhost.exe to run a PowerShell script for system maintenance
  Filter/Exclusion: Filter out processes where taskhost.exe is running scripts from trusted locations like C:\Windows\System32\ or user-specific admin scripts.

• Scenario: Malware analysis tool using Equation Group tools for testing
  Filter/Exclusion: Exclude processes running within a sandboxed or isolated environment (e.g., C:\Sandbox\ or with a specific user context like NT AUTHORITY\SYSTEM).

• Scenario: Legitimate use of regsvr32.exe to register a COM component
  Filter/Exclusion: Exclude processes where regsvr32.exe is used to register a COM DLL from a known trusted location (e.g., C:\Program Files\ or C:\Windows\System32\).