Equation Group hack tool set

Hunt Hypothesis

The Equation Group hack tool set is associated with advanced persistent threats and may indicate the presence of sophisticated malware or espionage activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term adversary access and mitigate advanced threat capabilities.

YARA Rule

rule EquationGroup_cursezinger_linuxrh7_3_v_2_0_0 {
   meta:
      description = "Equation Group hack tool set"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-09"
      hash1 = "af7c7d03f59460fa60c48764201e18f3bd3f72441fd2e2ff6a562291134d2135"
   strings:
      $s1 = ",%02d%03d" fullword ascii
      $s2 = "[%.2u%.2u%.2u%.2u%.2u%.2u]" fullword ascii
      $s3 = "__strtoll_internal" fullword ascii
      $s4 = "__strtoul_internal" fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 400KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate use of msiexec.exe for software deployment
  Description: A system administrator uses msiexec.exe to deploy a legitimate software update or application.
  Filter/Exclusion: Exclude processes where msiexec.exe is used with valid MSI package paths and signed by trusted publishers.

• Scenario: Scheduled job running regsvr32.exe to register a COM component
  Description: A scheduled task runs regsvr32.exe to register a COM DLL as part of a regular maintenance routine.
  Filter/Exclusion: Exclude processes where regsvr32.exe is executed with a known COM DLL path and is part of a scheduled task with a valid name.

• Scenario: Admin using certutil.exe to import a trusted certificate
  Description: An administrator uses certutil.exe to import a trusted certificate into the local machine’s certificate store.
  Filter/Exclusion: Exclude processes where certutil.exe is used with a certificate file path that is signed by a trusted root CA and is part of a documented certificate management process.

• Scenario: System update using dism.exe to apply Windows updates
  Description: A system update process uses dism.exe to apply Windows updates or feature packs.
  Filter/Exclusion: Exclude processes where dism.exe is executed with a valid update package path and is initiated by a known Windows update mechanism (e.g., via Windows Update or Group Policy).

• Scenario: Use of icacls.exe for file permission management
  Description: An administrator uses icacls.exe to modify file or folder permissions as part of routine access control configuration.
  Filter/Exclusion: Exclude processes where icacls.exe is used with valid file paths and user/group permissions that