The detection identifies potential exploitation of the Equation Group hack tool, ftshell, which may indicate adversary use of leaked advanced persistent threat capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term persistence and data exfiltration activities.
YARA Rule
rule EquationGroup__ftshell_ftshell_v3_10_3_0 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
super_rule = 1
hash1 = "9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893"
hash2 = "0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951"
strings:
$s1 = "set uRemoteUploadCommand \"[exec cat /current/.ourtn-ftshell-upcommand]\"" fullword ascii
$s2 = "send \"\\[ \\\"\\$BASH\\\" = \\\"/bin/bash\\\" -o \\\"\\$SHELL\\\" = \\\"/bin/bash\\\" \\] &&" ascii
$s3 = "system rm -f /current/tmp/ftshell.latest" fullword ascii
$s4 = "# ftshell -- File Transfer Shell" fullword ascii
condition:
( uint16(0) == 0x2123 and filesize < 100KB and 1 of them ) or ( 2 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate use of ftshell for remote administration
Description: A system administrator uses the ftshell tool (a legitimate remote administration tool) to manage remote servers.
Filter/Exclusion: Exclude processes where the command line includes -t or -s flags, or where the user is a domain admin with known administrative tasks.
Scenario: Scheduled job running ftshell.v3.10.3.7 for log collection
Description: A scheduled task runs ftshell.v3.10.3.7 to collect logs from multiple servers as part of a centralized logging solution.
Filter/Exclusion: Exclude processes where the parent process is a known task scheduler service (e.g., schtasks.exe) and the command line includes log collection parameters.
Scenario: Security tool using ftshell for network scanning
Description: A network security tool (e.g., Nmap or Wireshark) uses ftshell as part of its internal toolset for network discovery.
Filter/Exclusion: Exclude processes where the parent process is a known security tool or where the command line includes network scanning flags.
Scenario: Software update process using ftshell for deployment
Description: A software update process uses ftshell to deploy patches or configuration changes across a fleet of servers.
Filter/Exclusion: Exclude processes where the command line includes update-related parameters or where the user is part of a known update management team.
Scenario: Internal development testing with ftshell
Description: A development team uses ftshell in a test environment to simulate remote access for testing purposes.
Filter/Exclusion: Exclude processes where the execution path is within a known development directory or where the user is a member of the development team