The hunt hypothesis detects potential adversary use of the leaked Equation Group tool ‘elatedmonkey.1.0.1.1.sh’ to execute arbitrary code and maintain persistence within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) activity leveraging known sophisticated malware.
YARA Rule
rule EquationGroup_elatedmonkey_1_0_1_1 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "bf7a9dce326604f0681ca9f7f1c24524543b5be8b6fcc1ba427b18e2a4ff9090"
strings:
$x3 = "Usage: $0 ( -s IP PORT | CMD )" fullword ascii
$s5 = "os.execl(\"/bin/sh\", \"/bin/sh\", \"-c\", \"$CMD\")" fullword ascii
$s13 = "PHP_SCRIPT=\"$HOME/public_html/info$X.php\"" fullword ascii
$s15 = "cat > /dev/tcp/127.0.0.1/80 <<END" fullword ascii
condition:
( uint16(0) == 0x2123 and filesize < 5KB and ( 1 of ($x*) and 5 of ($s*) ) ) or ( all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate System Update or Patch Deployment
Description: A system administrator deploys a legitimate update or patch that includes a file named elatedmonkey.1.0.1.1.sh as part of a package.
Filter/Exclusion: Check the file’s hash against known good hashes of legitimate update packages. Exclude files with hashes matching trusted software repositories.
Scenario: Scheduled Job Running a Bash Script
Description: A scheduled job (e.g., via cron or Task Scheduler) runs a Bash script named elatedmonkey.1.0.1.1.sh as part of routine maintenance or configuration management.
Filter/Exclusion: Exclude scripts that are part of known configuration management tools (e.g., Ansible, Puppet) or scheduled tasks with known execution patterns.
Scenario: File Integrity Monitoring Tool Generating Alerts
Description: A file integrity monitoring (FIM) tool like Tripwire or OSSEC generates an alert when it detects a file named elatedmonkey.1.0.1.1.sh has been created or modified.
Filter/Exclusion: Exclude files that are part of FIM tool configurations or known baseline files. Use file metadata (e.g., ownership, modification time) to differentiate.
Scenario: Developer Testing or Debugging Script
Description: A developer is testing or debugging a script named elatedmonkey.1.0.1.1.sh in a development environment.
Filter/Exclusion: Exclude files located in development directories (e.g., /home/dev/, /opt/dev/) or files with known development tool signatures.
Scenario: Malware Analysis or Sandbox Environment
Description: A security analyst is running malware analysis in a sandbox environment and the file elatedmonkey.1.0.1.1.sh