Equation Group hack tool leaked by ShadowBrokers- file estopmoonlit

Hunt Hypothesis

The detection identifies potential adversary use of the leaked Equation Group tool ‘estopmoonlit’ which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated cyber adversaries.

YARA Rule

rule EquationGroup_estopmoonlit {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file estopmoonlit"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "707ecc234ed07c16119644742ebf563b319b515bf57fd43b669d3791a1c5e220"
   strings:
      $x1 = "[+] shellcode prepared, re-executing" fullword ascii
      $x2 = "[-] kernel not vulnerable: prctl" fullword ascii
      $x3 = "[-] shell failed" fullword ascii
      $x4 = "[!] selinux apparently enforcing.  Continue [y|n]? " fullword ascii
   condition:
      filesize < 250KB and 1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate System File Update
  Description: A system update or patching process deploys a file named estopmoonlit.exe as part of a legitimate software update.
  Filter/Exclusion: Check the file’s digital signature and hash against known good hashes of the legitimate software. Use a filter like file.hash == "known_good_hash".

• Scenario: Scheduled Job Execution
  Description: A scheduled task or job (e.g., Task Scheduler or cron job) runs a script that generates or uses a file named estopmoonlit.exe as part of a routine maintenance process.
  Filter/Exclusion: Filter by process owner (user == "svc_account") and check against known legitimate scheduled tasks using process.name == "schtasks.exe" or process.name == "cron", depending on the OS.

• Scenario: Antivirus or Security Tool Scan
  Description: A security tool (e.g., Malwarebytes, Bitdefender, or Kaspersky) temporarily creates a file named estopmoonlit.exe during a scan or quarantine process.
  Filter/Exclusion: Filter by process name (process.name == "mbam.exe", process.name == "kavservice.exe", etc.) or check the file’s parent process to identify security tool activity.

• Scenario: Log Management Tool Processing
  Description: A log management tool (e.g., Splunk, ELK Stack, or Graylog) generates or processes a file named estopmoonlit.log as part of its operation.
  Filter/Exclusion: Filter by file extension (file.name contains ".log") or process name (process.name == "splunkd.exe" or process.name == "logstash").

• **Scenario: Development or Testing