The Equation Group hack tool set is associated with advanced persistent threats and may indicate the presence of sophisticated malware or espionage activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term compromise and mitigate advanced threats before they escalate.
YARA Rule
rule EquationGroup_linux_exactchange {
meta:
description = "Equation Group hack tool set"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-09"
super_rule = 1
hash1 = "dfecaf5b85309de637b84a686dd5d2fca9c429e8285b7147ae4213c1f49d39e6"
hash2 = "6ef6b7ec1f1271503957cf10bb6b1bfcedb872d2de3649f225cf1d22da658bec"
hash3 = "39d4f83c7e64f5b89df9851bdba917cf73a3449920a6925b6cd379f2fdec2a8b"
hash4 = "15e12c1c27304e4a68a268e392be4972f7c6edf3d4d387e5b7d2ed77a5b43c2c"
strings:
$x1 = "[+] looking for vulnerable socket" fullword ascii
$x2 = "can't use 32-bit exploit on 64-bit target" fullword ascii
$x3 = "[+] %s socket ready, exploiting..." fullword ascii
$x4 = "[!] nothing looks vulnerable, trying everything" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 2000KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate use of msiexec.exe for software installation
Description: A system administrator uses msiexec.exe to install a legitimate enterprise application, such as Microsoft Office or a custom in-house tool.
Filter/Exclusion: Check the command line arguments for known legitimate installation packages (e.g., msiexec /i "C:\Path\To\Setup.msi"), and exclude processes where the file path contains known enterprise software directories.
Scenario: Scheduled job running Equation Group-related tools for system maintenance
Description: A scheduled task runs a legitimate system maintenance script that includes tools similar to those in the Equation Group, such as reg.exe or taskkill.exe, for cleaning up temporary files or managing services.
Filter/Exclusion: Exclude processes associated with scheduled tasks that have a known legitimate name (e.g., CleanupTask.exe) and are located in system directories like C:\Windows\System32.
Scenario: Use of reg.exe for registry backups or audits
Description: A security or IT team member uses reg.exe to back up or audit the Windows registry as part of routine compliance or security procedures.
Filter/Exclusion: Exclude processes where the command line includes registry backup or export operations (e.g., reg export HKEY_LOCAL_MACHINE\Software C:\Backup\reg_backup.reg), and filter by user account (e.g., Domain\Administrator).
Scenario: Admin task using taskkill.exe to terminate malicious processes
Description: An administrator uses taskkill.exe to terminate a known malicious process that was previously identified and is now being cleaned up.
Filter/Exclusion: Exclude processes initiated by a known admin account (e.g., Domain\Administrator) and where the target process is a known malicious process (e.g