Equation Group hack tool leaked by ShadowBrokers- file eh.1.1.0.0

Hunt Hypothesis

The detection identifies potential use of the Equation Group hack tool, eh.1.1.0.0, which was previously leaked by ShadowBrokers, indicating possible adversary exploitation of advanced persistent threat capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated, state-sponsored threat actors.

YARA Rule

rule EquationGroup_eh_1_1_0 {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file eh.1.1.0.0"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "0f8dd094516f1be96da5f9addc0f97bcac8f2a348374bd9631aa912344559628"
   strings:
      $x1 = "usage: %s -e -v -i target IP [-c Cert File] [-k Key File]" fullword ascii
      $x2 = "TYPE=licxfer&ftp=%s&source=/var/home/ftp/pub&version=NA&licfile=" ascii
      $x3 = "[-l Log File] [-m save MAC time file(s)] [-p Server Port]" fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 100KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate use of eh.1.1.0.0 as part of a network discovery tool
  Description: The file eh.1.1.0.0 is a known network discovery tool used by some enterprise security tools for internal network mapping.
  Filter/Exclusion: Exclude files where the process name is network-discovery-tool.exe or where the file path contains security-tools/ or internal-network-mapping/.

• Scenario: Scheduled job running eh.1.1.0.0 for system diagnostics
  Description: A scheduled task or service runs the eh.1.1.0.0 file as part of a routine system health check or diagnostic process.
  Filter/Exclusion: Exclude events where the process is launched by a scheduled task with a name like SystemHealthCheck or where the command line includes --diagnostic-mode.

• Scenario: Admin task using eh.1.1.0.0 for forensic analysis
  Description: A security or IT admin uses the eh.1.1.0.0 tool for forensic analysis or incident response activities.
  Filter/Exclusion: Exclude events where the user is a domain admin or where the process is initiated from a known incident response tool directory, such as C:\Tools\IR/.

• Scenario: Malware analysis lab running eh.1.1.0.0 in a sandboxed environment
  Description: The file is executed in a sandbox or malware analysis environment to study its behavior.
  Filter/Exclusion: Exclude events where the process is running in a virtual machine or where the file path includes sandbox/ or analysis/.

• Scenario: Legitimate software update or patch deployment
  Description: The `eh.1.