Equation Group hack tool set

Hunt Hypothesis

The Equation Group hack tool set is associated with advanced persistent threats and may indicate the presence of sophisticated malware or espionage activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term compromise and mitigate advanced threats before they cause significant damage.

YARA Rule

rule EquationGroup_gr_dev_bin_now {
   meta:
      description = "Equation Group hack tool set"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-09"
      hash1 = "f5ed8312fc6e624b04e1e2d6614f3c651c9e9902ff41f4d069c32caca0869fa4"
   strings:
      $x1 = "HTTP_REFERER=\"https://127.0.0.1:6655/cgi/redmin?op=cron&action=once\"" fullword ascii
      $x2 = "exec /usr/share/redmin/cgi/redmin" fullword ascii
   condition:
      ( filesize < 1KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task using schtasks.exe to perform system maintenance (e.g., disk cleanup, log rotation).
  Filter/Exclusion: Check for CommandLine containing "schtasks.exe /create" or "schtasks.exe /run" with known maintenance task names (e.g., DiskCleanup, LogClean).

• Scenario: Administrative Tool Usage
  Description: An admin using PsExec.exe to remotely execute commands on a managed server for troubleshooting or patching.
  Filter/Exclusion: Filter by ProcessName containing PsExec.exe and check for CommandLine with valid admin tasks (e.g., psexec \\server -u admin -p password cmd).

• Scenario: Antivirus or Security Software Update
  Description: A legitimate update process for an enterprise antivirus or endpoint protection solution using msiexec.exe or setup.exe.
  Filter/Exclusion: Filter by ProcessName containing msiexec.exe or setup.exe and check for known vendor update paths (e.g., C:\Program Files\EndpointProtection\update.msi).

• Scenario: Database Backup Job
  Description: A SQL Server backup job using sqlcmd.exe or sqlbackup.exe to perform routine backups.
  Filter/Exclusion: Filter by ProcessName containing sqlcmd.exe or sqlbackup.exe and check for backup-related command lines (e.g., sqlcmd -S server -d database -Q "BACKUP DATABASE").

• Scenario: PowerShell Script for System Monitoring
  Description: A PowerShell script (powershell.exe) used by the IT team to monitor system performance or collect logs.
  Filter/Exclusion: Filter by `Process