Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1

Hunt Hypothesis

The detection identifies potential adversary use of the Equation Group hack tool, epoxyresin.v1.0.0.1, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated, previously unknown attack methods.

YARA Rule

rule EquationGroup_epoxyresin_v1_0_0 {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "eea8a6a674d5063d7d6fc9fe07060f35b16172de6d273748d70576b01bf01c73"
   strings:
      $x1 = "[-] kernel not vulnerable" fullword ascii

      $s1 = ".tmp.%d.XXXXXX" fullword ascii
      $s2 = "[-] couldn't create temp file" fullword ascii
      $s3 = "/boot/System.map-%s" fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 30KB and $x1 ) or ( all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate Use of Epoxyresin.v1.0.0.1 in a Security Research Lab
  Description: A security team is analyzing the leaked Equation Group tool as part of a red team exercise.
  Filter/Exclusion: process.name != "epoxyresin.v1.0.0.1" OR process.parent.name == "idaq.exe" (IDA Pro process)

• Scenario: Scheduled System Maintenance Task Using Epoxyresin.v1.0.0.1
  Description: A system maintenance script or job is using the tool for legitimate forensic analysis or system integrity checks.
  Filter/Exclusion: process.name != "epoxyresin.v1.0.0.1" OR process.parent.name == "schtasks.exe"

• Scenario: Admin Task to Analyze Malware Sample Using Epoxyresin.v1.0.0.1
  Description: An administrator is using the tool to analyze a malware sample in a sandboxed environment.
  Filter/Exclusion: process.name != "epoxyresin.v1.0.0.1" OR process.parent.name == "vmtoolsd.exe" (VMware Tools)

• Scenario: Legitimate File Integrity Check Using Epoxyresin.v1.0.0.1
  Description: A file integrity monitoring tool is using the tool to verify system files.
  Filter/Exclusion: process.name != "epoxyresin.v1.0.0.1" OR process.parent.name == "fileintegrity.exe"

• Scenario: False Positive from a Malware Analysis Tool
  Description: A malware analysis platform is using the tool as part of its analysis workflow, leading to a false positive.
  Filter/Exclusion: `process.name