The detection identifies potential exploitation of leaked Equation Group tools, specifically ghost_sparc and ghost_x86, which may indicate unauthorized access or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threats leveraging compromised or leaked malware.
YARA Rule
rule EquationGroup__ghost_sparc_ghost_x86_3 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
super_rule = 1
hash1 = "d5ff0208d9532fc0c6716bd57297397c8151a01bf4f21311f24e7a72551f9bf1"
hash2 = "82c899d1f05b50a85646a782cddb774d194ef85b74e1be642a8be2c7119f4e33"
strings:
$x1 = "Usage: %s [-v os] [-p] [-r] [-c command] [-a attacker] target" fullword ascii
$x2 = "Sending shellcode as part of an open command..." fullword ascii
$x3 = "cmdshellcode" fullword ascii
$x4 = "You will not be able to run the shellcode. Exiting..." fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 70KB and 1 of them ) or ( 2 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate use of ghost_sparc or ghost_x86 by security researchers or red teams
Filter/Exclusion: Check for presence of ghost_sparc or ghost_x86 in known red team toolkits or security research directories (e.g., C:\Tools\RedTeam, C:\SecurityResearch). Exclude processes initiated from such directories.
Scenario: Scheduled job running ghost_sparc or ghost_x86 for system diagnostics or maintenance
Filter/Exclusion: Filter out processes associated with scheduled tasks (e.g., schtasks.exe, Task Scheduler) and check for known maintenance scripts or system health checks. Exclude processes with CommandLine containing --diagnostic or --maintenance.
Scenario: Admin task using ghost_sparc or ghost_x86 for forensic analysis or incident response
Filter/Exclusion: Exclude processes initiated by privileged users (e.g., Administrator, Domain Admins) that are part of a known incident response toolkit (e.g., C:\Tools\IncidentResponse). Check for presence of --forensic or --ir flags in command lines.
Scenario: Malware analysis environment executing ghost_sparc or ghost_x86 for testing purposes
Filter/Exclusion: Exclude processes running in a sandboxed or virtualized environment (e.g., C:\Sandbox, C:\VMs). Check for presence of --test, --sandbox, or --analysis flags in command lines.
Scenario: Legacy system compatibility tool using ghost_sparc or ghost_x86 for older hardware support
Filter/Exclusion: Exclude processes running on older operating systems (e.g., Windows Server 200