Equation Group hack tool set

Hunt Hypothesis

The Equation Group hack tool set is associated with advanced persistent threats and may indicate the presence of sophisticated malware or espionage activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term compromise and mitigate advanced threats that may evade traditional detection methods.

YARA Rule

rule EquationGroup_cursewham_curserazor_cursezinger_curseroot_win2k {
   meta:
      description = "Equation Group hack tool set"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-09"
      hash1 = "aff27115ac705859871ab1bf14137322d1722f63705d6aeada43d18966843225"
      hash2 = "7a25e26950bac51ca8d37cec945eb9c38a55fa9a53bc96da53b74378fb10b67e"
   strings:
      $s1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/%s,%s" fullword ascii
      $s3 = ",%02d%03d" fullword ascii
      $s4 = "[%.2u%.2u%.2u%.2u%.2u%.2u]" fullword ascii

      $op1 = { 7d ec 8d 74 3f 01 0f af f7 c1 c6 05 } /* Opcode */
      $op2 = { 29 f1 89 fb d3 eb 89 f1 d3 e7 } /* Opcode */
      $op3 = { 7d e4 8d 5c 3f 01 0f af df c1 c3 05 } /* Opcode */
   condition:
      ( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate System Maintenance Task
  Description: A system administrator is running a scheduled maintenance job that uses the Equation Group tool (e.g., eqg.exe) for disk cleanup or log rotation.
  Filter/Exclusion: Check for presence of admin credentials in process owner, or use a filter like:

  process.parent_process_name != "schtasks.exe" OR process.user != "Administrator"

• Scenario: Scheduled Job for Security Tool Integration
  Description: A security tool (e.g., SIEM or EDR) is scheduled to run a script that uses the Equation Group tool for data collection or integration.
  Filter/Exclusion: Filter by process name or use a whitelist of known security tool processes:

  process.name != "eqg.exe" OR process.parent_process_name IN ("siemtool.exe", "edragent.exe")

• Scenario: Legitimate Software Update Process
  Description: A software update package includes the Equation Group tool as part of a legitimate update or patching process.
  Filter/Exclusion: Check for presence of known update services or use a filter like:

  process.parent_process_name IN ("wuauclt.exe", "msiexec.exe") OR process.user IN ("LocalSystem", "UpdateService")

• Scenario: Internal Red Team Exercise
  Description: A red team or security team is conducting a controlled exercise using the Equation Group tool to simulate an attack.
  Filter/Exclusion: Filter by user or IP source:

  process.user != "RedTeamUser" OR source_ip NOT IN ("10.0.0.100", "10.0.0.101