Equation Group hack tool leaked by ShadowBrokers- file jparsescan

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of the leaked Equation Group tool jparsescan to parse and exfiltrate data from targeted systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of advanced persistent threats leveraging known malware artifacts.

YARA Rule

rule EquationGroup_jparsescan {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file jparsescan"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984"
   strings:
      $s1 = "Usage:  $prog [-f directory] -p prognum [-V ver] [-t proto] -i IPadr" fullword ascii
      $s2 = "$gotsunos = ($line =~ /program version netid     address             service         owner/ );" fullword ascii
   condition:
      ( filesize < 40KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate use of jparsescan by security tools
  Description: Security tools or malware analysis platforms may use jparsescan as part of their analysis of malicious files or payloads.
  Filter/Exclusion: Check for process parent process or command line arguments that indicate analysis tools (e.g., Process Explorer, Procmon, Wireshark, or sandbox environments). Use a filter like:

  (process.parent_process_name == "procmon.exe" OR process.parent_process_name == "wireshark.exe")

• Scenario: Scheduled system maintenance task using jparsescan
  Description: Some enterprise systems may schedule tasks that use jparsescan for parsing or scanning system files during maintenance windows.
  Filter/Exclusion: Filter by process creation time or task scheduler context. Use a filter like:

  (process.start_time BETWEEN "08:00:00" AND "10:00:00" AND process.command_line CONTAINS "scheduled_task")

• Scenario: Legitimate file parsing by system services
  Description: System services or background processes may use jparsescan to parse configuration files or logs.
  Filter/Exclusion: Filter by process owner or service name. Use a filter like:

  (process.owner == "SYSTEM" OR process.service_name == "eventlog")

• Scenario: Use of jparsescan by legitimate forensic tools
  Description: Forensic tools or incident response platforms may invoke jparsescan to analyze artifacts during investigations.
  Filter/Exclusion: Check for presence of known forensic tools in the command line or parent process. Use a filter like: