Equation Group hack tool leaked by ShadowBrokers- file DUL

Hunt Hypothesis

The detection identifies potential exploitation of the Equation Group hack tool, DUL, which may indicate adversary use of leaked advanced persistent threat capabilities. SOC teams should proactively hunt for this behavior to identify early signs of sophisticated, targeted attacks leveraging known but previously undetected malware.

YARA Rule

rule EquationGroup_DUL {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file DUL"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "24d1d50960d4ebf348b48b4db4a15e50f328ab2c0e24db805b106d527fc5fe8e"
   strings:
      $x1 = "?Usage: %s <shellcode> <output_file>" fullword ascii
      $x2 = "Here is the decoder+(encoded-decoder)+payload" fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 80KB and 1 of them ) or ( all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate System File Update via Windows Update
  Description: A system file named DUL is updated as part of a Windows Update or Microsoft patching process.
  Filter/Exclusion: Check the file’s hash against known good hashes from Microsoft or use a filter like file.hash != <known malicious hash>.

• Scenario: Scheduled Job Running a Script Named DUL
  Description: A scheduled job (e.g., via Task Scheduler) runs a script named DUL that is part of a legitimate administrative task, such as log cleanup or system maintenance.
  Filter/Exclusion: Filter by process.parent_process == "schtasks.exe" or process.name == "schtasks.exe" and verify the script’s legitimacy via file integrity monitoring.

• Scenario: Admin Using DUL as a Custom Tool for Data Extraction
  Description: A system administrator uses a custom tool named DUL (e.g., a data extraction utility) for legitimate forensic or compliance purposes.
  Filter/Exclusion: Use a filter like process.user == "admin_account" and verify the tool’s origin and purpose through internal tooling inventory.

• Scenario: Antivirus or Endpoint Protection Tool Generating DUL as a Temp File
  Description: A security tool (e.g., Bitdefender, Kaspersky) generates a temporary file named DUL during its scanning or analysis process.
  Filter/Exclusion: Filter by process.name == "avp.exe" or process.name == "kav.exe" and exclude files created by known security software.

• Scenario: Legitimate File from a Third-Party Software Package
  Description: A file named DUL is part of a legitimate third-party software package (e.g., a database tool or network monitoring utility) installed on the system.