Equation Group hack tool leaked by ShadowBrokers- file emptycriss

Hunt Hypothesis

The detection identifies potential adversary use of the Equation Group hack tool, emptycriss, which may indicate exploitation of known vulnerabilities by advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of sophisticated malware activity and mitigate potential compromise.

YARA Rule

rule EquationGroup_emptycriss {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file emptycriss"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "a698d35a0c4d25fd960bd40c1de1022bb0763b77938bf279e91c9330060b0b91"
   strings:
      $s1 = "./emptycriss <target IP>" fullword ascii
      $s2 = "Cut and paste the following to the telnet prompt:" fullword ascii
      $s8 = "environ define TTYPROMPT abcdef" fullword ascii
   condition:
      ( filesize < 50KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate System File Integrity Check
  Description: A security tool like Tripwire or Microsoft Advanced Threat Analytics (ATA) performs a file integrity check and generates a false positive match for the emptycriss file.
  Filter/Exclusion: Exclude files associated with known integrity checking tools or use a file hash whitelist for the emptycriss file.

• Scenario: Scheduled Job for Log File Rotation
  Description: A scheduled task (e.g., via Task Scheduler or cron) rotates or compresses log files, temporarily creating a file named emptycriss that matches the detection signature.
  Filter/Exclusion: Exclude files created by log rotation processes or use a time-based filter to ignore files created during scheduled maintenance windows.

• Scenario: Admin Task for Temporary File Creation
  Description: An administrator uses a script or tool (e.g., PowerShell, Python, or Batch) to create a temporary file named emptycriss for testing or debugging purposes.
  Filter/Exclusion: Exclude files with a specific file owner (e.g., SYSTEM, Administrator) or use a file creation time filter to exclude recently created files.

• Scenario: Malware Analysis Environment Artifact
  Description: During malware analysis, a sandbox or analysis tool (e.g., Cuckoo Sandbox, Joe Sandbox) generates a file named emptycriss as part of its analysis process.
  Filter/Exclusion: Exclude files from known analysis environments or use a source IP filter to exclude traffic from internal analysis systems.

• Scenario: Backup or Restore Process
  Description: A backup tool (e.g., Veeam, Acronis, or Windows Backup) creates a temporary file named emptycriss during a restore or backup operation.
  *