The detection identifies potential exploitation of leaked Equation Group tools, specifically jparsescan and parsescan, which may indicate adversary use of advanced persistent threat techniques. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated cyber adversaries.
YARA Rule
rule EquationGroup__jparsescan_parsescan_5 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
super_rule = 1
hash1 = "8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984"
hash2 = "942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef"
strings:
$s1 = "# default is to dump out all scanned hosts found" fullword ascii
$s2 = "$bool .= \" -r \" if (/mibiisa.* -r/);" fullword ascii
$s3 = "sadmind is available on two ports, this also works)" fullword ascii
$s4 = "-x IP gives \\\"hostname:# users:load ...\\\" if positive xwin scan" fullword ascii
condition:
( uint16(0) == 0x2123 and filesize < 40KB and 1 of them ) or ( 2 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate use of jparsescan or parsescan for parsing network traffic logs
Filter/Exclusion: Check for presence of log files in known log directories (e.g., /var/log/, /opt/logs/) and filter by file extensions like .log, .txt, or .csv.
Suggested Filter: file.name IN ("*.log", "*.txt", "*.csv")
Scenario: Scheduled job running parsescan to analyze system performance metrics
Filter/Exclusion: Identify processes associated with scheduled tasks (e.g., via crontab, at, or task scheduler) and filter by user or process name.
Suggested Filter: process.name == "parsescan" AND user.name == "system" OR process.name == "scheduled_task"
Scenario: Security tool or SIEM system using jparsescan for data normalization
Filter/Exclusion: Filter by process parent or command line arguments that indicate integration with a security tool (e.g., splunk, logstash, siem).
Suggested Filter: process.parent.name IN ("splunk", "logstash", "siem")
Scenario: Administrative task using parsescan to parse configuration files
Filter/Exclusion: Filter by file paths that are known configuration directories (e.g., /etc/, /usr/local/etc/) and check for known config file extensions.
Suggested Filter: file.path IN ("/etc/", "/usr/local/etc/") AND file.name IN ("*.conf", "*.cfg", "*.ini")
Scenario: Legacy system maintenance using jparsescan to parse old data formats
Filter/Exclusion: Filter by older timestamps or file creation dates, and check for