The detection identifies potential exploitation of the Equation Group hack tool, ftshell, which may indicate adversary use of leaked advanced persistent threat capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term persistence and data exfiltration activities.
YARA Rule
rule EquationGroup__ftshell {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
super_rule = 1
hash1 = "9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893"
hash4 = "0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951"
strings:
$s1 = "if { [string length $uRemoteUploadCommand]" fullword ascii
$s2 = "processUpload" fullword ascii
$s3 = "global dothisreallyquiet" fullword ascii
condition:
( uint16(0) == 0x2123 and filesize < 100KB and 2 of them ) or ( all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate use of ftshell for file transfer in a secure environment
Description: A system administrator uses ftshell as part of a sanctioned file transfer process between internal servers.
Filter/Exclusion: Exclude processes where the file path contains internal_transfer/ or where the user is a member of the admin group and the command line includes --secure-transfer.
Scenario: Scheduled job using ftshell.v3.10.3.7 for log aggregation
Description: A scheduled task runs ftshell.v3.10.3.7 to collect logs from multiple servers into a centralized log management system.
Filter/Exclusion: Exclude processes where the command line includes --log-aggregation or where the parent process is a known scheduled task (e.g., schtasks.exe or cron).
Scenario: System update or patching using ftshell
Description: A patching tool uses ftshell to deploy updates across the network, which is part of the organization’s standard patch management process.
Filter/Exclusion: Exclude processes where the file path contains patching/ or where the user is a member of the patching_admin group.
Scenario: Security tool or SIEM integration using ftshell
Description: A security information and event management (SIEM) tool uses ftshell to send data to a central logging server for analysis.
Filter/Exclusion: Exclude processes where the command line includes --siem or where the destination IP is a known internal SIEM server.
Scenario: Internal development or testing using ftshell
Description: A development team uses ftshell in a test environment to simulate file transfers or system interactions during testing.