The Equation Group hack tool set is associated with advanced persistent threats and may indicate the presence of sophisticated malware or espionage activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term compromise and mitigate advanced threat actors leveraging known hacking toolsets.
YARA Rule
rule EquationGroup_curseyo_win2k_v_1_0_0 {
meta:
description = "Equation Group hack tool set"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-09"
hash1 = "5dc77614764b23a38610fdd8abe5b2274222f206889e4b0974a3fea569055ed6"
strings:
$s1 = "0123456789abcdefABCEDF:" fullword ascii
$op0 = { c6 06 5b 8b bd 70 ff ff ff 8b 9d 64 ff ff ff 0f } /* Opcode */
$op1 = { 55 b8 ff ff ff ff 89 e5 83 ec 28 89 7d fc 8b 7d } /* Opcode */
$op2 = { ff 05 10 64 41 00 89 34 24 e8 df 1e 00 00 e9 31 } /* Opcode */
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate System Maintenance Task
Description: A system administrator is running a scheduled maintenance job that uses the Equation Group tool (e.g., eqgtool.exe) to perform disk cleanup or registry maintenance.
Filter/Exclusion: Check for process.parent_process containing “Task Scheduler” or “schtasks.exe”, and filter by process.command_line containing “maintenance” or “cleanup”.
Scenario: Scheduled Job for Log Analysis
Description: A security team uses a custom script or tool (e.g., eqglogparser.exe) as part of a scheduled job to analyze system logs for anomalies.
Filter/Exclusion: Filter by process.parent_process containing “schtasks.exe” or “Task Scheduler”, and include process.command_line containing “log analysis” or “audit”.
Scenario: Internal Security Tool for Threat Hunting
Description: The organization uses a proprietary tool (e.g., eqgthreathunter.exe) for internal threat hunting, which mimics the behavior of the Equation Group toolset.
Filter/Exclusion: Include process.process_name containing “eqgthreathunter.exe” or “internal_security_tool.exe”, and check for process.user matching internal security team accounts.
Scenario: Software Update or Patching Process
Description: A patching tool (e.g., eqgpatcher.exe) is used to update system components, and it temporarily exhibits similar behavior to the Equation Group toolset.
Filter/Exclusion: Filter by process.parent_process containing “Windows Update” or “wuauclt.exe”, and check for process.command_line containing “patch” or “update”.
Scenario: Third-Party Tool for Data Migration
Description: A third-party data migration tool (e.g., `