The detection identifies potential exploitation of the leaked Equation Group tool ‘electricslide’ by adversaries attempting to leverage its capabilities for unauthorized system access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of advanced persistent threats using known malicious tools.
YARA Rule
rule EquationGroup_electricslide {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file electricslide"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "d27814b725568fa73641e86fa51850a17e54905c045b8b31a9a5b6d2bdc6f014"
strings:
$x1 = "Firing with the same hosts, on altername ports (target is on 8080, listener on 443)" fullword ascii
$x2 = "Recieved Unknown Command Payload: 0x%x" fullword ascii
$x3 = "Usage: eslide [options] <-t profile> <-l listenerip> <targetip>" fullword ascii
$x4 = "-------- Delete Key - Remove a *closed* tab" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 2000KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate Use of electricSlide in a Security Tool
Description: A security tool or SIEM system may use a component named electricSlide for log parsing or data processing.
Filter/Exclusion: Check for process parent process or command line arguments containing known security tool names (e.g., Splunk, ELK, Logstash).
Scenario: Scheduled System Maintenance Task
Description: A scheduled task running under a privileged account (e.g., SYSTEM or Administrator) may trigger the rule due to the presence of the file name.
Filter/Exclusion: Filter by process owner (ProcessOwner == "SYSTEM" or ProcessOwner == "Administrator") and check for known maintenance scripts or tasks (e.g., schtasks.exe).
Scenario: Antivirus or Endpoint Protection Scan
Description: A legitimate antivirus or endpoint protection tool may use a file named electricSlide as part of its internal operations or signature database.
Filter/Exclusion: Check for process names like mpsvc.exe, avgnt.exe, or mcafee.exe and verify if the file is part of a known security product.
Scenario: PowerShell Script for System Configuration
Description: A PowerShell script used for system configuration or patch management may include a file named electricSlide as a placeholder or temporary file.
Filter/Exclusion: Filter by process name (powershell.exe) and check for script paths in known enterprise directories (e.g., C:\Windows\System32\, C:\Program Files\).
Scenario: Backup or Restore Job Using a Custom Script
Description: A backup or restore job using a custom script may generate or use a file named electricSlide as part of its workflow.
*Filter/Ex