Equation Group hack tool leaked by ShadowBrokers- file elgingamble

Hunt Hypothesis

The detection identifies potential exploitation of the Equation Group hack tool, elgingamble, which may indicate unauthorized access or lateral movement within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threats leveraging leaked malware.

YARA Rule

rule EquationGroup_elgingamble {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file elgingamble"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "0573e12632e6c1925358f4bfecf8c263dd13edf52c633c9109fe3aae059b49dd"
   strings:
      $x1 = "* * * * * root chown root %s; chmod 4755 %s; %s" fullword ascii
      $x2 = "[-] kernel not vulnerable" fullword ascii
      $x3 = "[-] failed to spawn shell: %s" fullword ascii
      $x4 = "-s shell           Use shell instead of %s" fullword ascii
   condition:
      1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate System File Access
  Description: A system administrator accesses the elgingamble file as part of a routine forensic investigation or incident response.
  Filter/Exclusion: process.parent_process_name == "explorer.exe" or process.parent_process_name == "cmd.exe" or process.parent_process_name == "powershell.exe" and process.user == "admin"

• Scenario: Scheduled Job Execution
  Description: A scheduled job or service runs a script that interacts with the elgingamble file as part of a legitimate maintenance task.
  Filter/Exclusion: process.file_name == "schtasks.exe" or process.file_name == "task scheduler" or process.file_name == "services.exe"

• Scenario: Security Tool Analysis
  Description: A security tool or EDR (Endpoint Detection and Response) platform analyzes the elgingamble file during a sandboxed or static analysis session.
  Filter/Exclusion: process.file_name == "idaq.exe" or process.file_name == "vmprotect.exe" or process.file_name == "sandboxed_process"

• Scenario: Malware Analysis Environment
  Description: The file is being analyzed in a malware analysis lab or sandbox environment, which is common during threat intelligence research.
  Filter/Exclusion: process.file_name == "wireshark.exe" or process.file_name == "idaq.exe" or process.file_name == "sandboxed_process"

• Scenario: False Positive from File Integrity Monitoring
  Description: The file is part of a legitimate software update or patch that was incorrectly flagged by file integrity monitoring tools.
  Filter/Exclusion: process.file_name == "msiexec.exe" or process.file_name == "setup.exe" or process.file_name == "patch.exe"