Equation Group hack tool leaked by ShadowBrokers- file exze

Hunt Hypothesis

The detection identifies potential adversary use of the Equation Group hack tool, exze, which may indicate exploitation of zero-day vulnerabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging leaked sophisticated malware.

YARA Rule

rule EquationGroup_exze {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file exze"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "1af6dde6d956db26c8072bf5ff26759f1a7fa792dd1c3498ba1af06426664876"
   strings:
      $s1 = "shellFile" fullword ascii
      $s2 = "completed.1" fullword ascii
      $s3 = "zeke_remove" fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 80KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled backup job using exze as part of a script name
  Filter/Exclusion: Exclude files where the filename contains exze and the process is associated with a known backup tool (e.g., Veeam, Acronis, or rsync).

• Scenario: System update or patching process using exze as a temporary file
  Filter/Exclusion: Exclude files where the filename contains exze and the process is associated with a known update tool (e.g., Windows Update, WSUS, or Chocolatey).

• Scenario: Admin task using exze as part of a custom script for log analysis
  Filter/Exclusion: Exclude files where the filename contains exze and the process is initiated by a known admin user or service (e.g., Administrator, System, or Task Scheduler).

• Scenario: Malware analysis environment testing the exze tool
  Filter/Exclusion: Exclude files where the filename contains exze and the process is running in a sandboxed or isolated environment (e.g., Cuckoo Sandbox, Joe Sandbox, or FireEye).

• Scenario: Legitimate file compression or archiving using exze as part of a filename
  Filter/Exclusion: Exclude files where the filename contains exze and the process is associated with a known compression tool (e.g., 7-Zip, WinRAR, or gzip).