Adversaries may be using the leaked Equation Group tool funnelout.v4.1.0.1.pl to execute arbitrary code or exfiltrate data through compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threat (APT) activity and mitigate lateral movement or data theft risks.
YARA Rule
rule EquationGroup__funnelout_v4_1_0_1 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
super_rule = 1
hash2 = "457ed14e806fdbda91c4237c8dc058c55e5678f1eecdd78572eff6ca0ed86d33"
strings:
$s1 = "header(\"Set-Cookie: bbsessionhash=\" . \\$hash . \"; path=/; HttpOnly\");" fullword ascii
$s2 = "if ($code =~ /proxyhost/) {" fullword ascii
$s3 = "\\$rk[1] = \\$rk[1] - 1;" fullword ascii
$s4 = "#existsUser($u) or die \"User '$u' does not exist in database.\\n\";" fullword ascii
condition:
( uint16(0) == 0x2123 and filesize < 100KB and 2 of them ) or ( all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Legitimate Use of funnelout.exe for Network Monitoring
Description: A system administrator uses the funnelout.exe tool (part of the Equation Group toolkit) as part of a network monitoring solution to capture and analyze network traffic.
Filter/Exclusion: Exclude processes where the parent process is a known monitoring tool (e.g., Wireshark.exe, tcpdump.exe) or where the command line includes legitimate network capture parameters.
Scenario: Scheduled Job for Data Migration
Description: A scheduled task runs a script that uses funnelout.exe to migrate data between servers as part of a routine maintenance process.
Filter/Exclusion: Exclude processes initiated by a known scheduled task (e.g., schtasks.exe) or where the command line includes migration-related parameters (e.g., --migrate, --source, --destination).
Scenario: Forensic Analysis Using the Tool
Description: A digital forensics analyst uses funnelout.exe to analyze a compromised system and extract forensic artifacts.
Filter/Exclusion: Exclude processes where the user is a forensic analyst with elevated privileges and the command line includes forensic analysis flags (e.g., --forensic, --extract).
Scenario: Malware Analysis Environment
Description: A malware analysis lab runs funnelout.exe in a sandboxed environment to study its behavior as part of a security research initiative.
Filter/Exclusion: Exclude processes running in a virtualized or sandboxed environment (e.g., detected via vmtoolsd.exe, VirtualBox, or WSL indicators).
Scenario: Legacy System Maintenance Task
Description: An outdated system uses funnelout.exe as part of a legacy maintenance script to perform routine system checks or data