Equation Group hack tool set

Hunt Hypothesis

The Equation Group hack tool set is associated with advanced persistent threats and may indicate the presence of sophisticated malware or espionage activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term compromise and mitigate advanced threats before they escalate.

YARA Rule

rule EquationGroup_gr {
   meta:
      description = "Equation Group hack tool set"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-09"
      hash1 = "d3cd725affd31fa7f0e2595f4d76b09629918612ef0d0307bb85ade1c3985262"
   strings:
      $s1 = "if [ -f /tmp/tmpwatch ] ; then" fullword ascii
      $s2 = "echo \"bailing. try a different name\"" fullword ascii
   condition:
      ( filesize < 1KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate system maintenance using msiexec.exe
  Description: A system administrator is performing a scheduled maintenance task using msiexec.exe to install a legitimate software update.
  Filter/Exclusion: Check the command line arguments for msiexec.exe and exclude tasks associated with known enterprise update mechanisms (e.g., Microsoft Update, SCCM).

• Scenario: Scheduled backup job using vssadmin.exe
  Description: A backup job is running via vssadmin.exe to create a shadow copy for data backup purposes.
  Filter/Exclusion: Exclude processes initiated by backup services (e.g., VSS, Backup Exec, or Azure Backup) and filter by known backup-related command-line arguments.

• Scenario: Admin task using taskhost.exe
  Description: A system administrator is using taskhost.exe to run a scheduled task that performs routine system diagnostics or log cleanup.
  Filter/Exclusion: Exclude tasks that are associated with known administrative tools or scheduled tasks managed by the Task Scheduler with known benign command-line parameters.

• Scenario: PowerShell script execution for patch management
  Description: A PowerShell script is being executed by a patch management tool to apply updates, which may trigger the detection logic due to similar process names or behavior.
  Filter/Exclusion: Exclude processes initiated by known patch management tools (e.g., Microsoft Endpoint Manager, SCCM, or WSUS) and filter based on script signing or execution context.

• Scenario: Legitimate use of cmd.exe for script execution
  Description: A system administrator is running a batch script via cmd.exe to automate routine system configuration tasks.
  Filter/Exclusion: Exclude processes where cmd.exe is used with known administrative scripts or where the script path is within a trusted enterprise directory (e.g.,