Equation Group hack tool leaked by ShadowBrokers- file envoytomato

Hunt Hypothesis

The detection identifies potential adversary use of the leaked Equation Group tool ‘envoytomato’ to establish covert command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat activity leveraging compromised infrastructure.

YARA Rule

rule EquationGroup_envoytomato {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file envoytomato"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "9bd001057cc97b81fdf2450be7bf3b34f1941379e588a7173ab7fffca41d4ad5"
   strings:
      $s1 = "[-] kernel not vulnerable" fullword ascii
      $s2 = "[-] failed to spawn shell" fullword ascii
   condition:
      filesize < 250KB and 1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate Use of envoytomato as a Scheduled Job
  Description: A system administrator schedules envoytomato as part of a legitimate maintenance task, such as data migration or system cleanup.
  Filter/Exclusion: Exclude processes where the file path contains C:\Windows\System32\ or where the process is associated with a known legitimate scheduled task (e.g., DataMigrationTask).

• Scenario: Use of envoytomato by a Security Tool for Analysis
  Description: A security researcher or incident responder uses envoytomato as part of a malware analysis lab to study the behavior of the Equation Group tool.
  Filter/Exclusion: Exclude processes running from a sandboxed environment (e.g., C:\Windows\SysWOW64\ or C:\Program Files\ Sandboxie\) or where the parent process is a known analysis tool (e.g., IDA Pro, Wireshark).

• Scenario: Administrative Task Involving File Copying
  Description: A system administrator uses envoytomato to copy files between servers as part of a backup or deployment process.
  Filter/Exclusion: Exclude processes where the command line includes file paths related to backup directories (e.g., C:\Backup\) or where the process is initiated by a known administrative tool (e.g., PsExec, Powershell.exe with -Command).

• Scenario: Use of envoytom0a in a Virtualized Environment
  Description: A virtual machine or container environment runs envoytomato as part of a test or development setup.
  Filter/Exclusion: Exclude processes running within a virtual machine (e.g., C:\Windows\System32\vbox or `C:\Windows