The detection identifies potential exploitation of a leaked Equation Group hack tool, which could be used for unauthorized access or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threats leveraging compromised tools.
YARA Rule
rule EquationGroup_magicjack_v1_1_0_0_client_1_1_0_0 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file magicjack_v1.1.0.0_client-1.1.0.0.py"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "63292a2353275a3bae012717bb500d5169cd024064a1ce8355ecb4e9bfcdfdd1"
strings:
$x1 = "result = self.send_command(\"ls -al %s\" % self.options.DIR)" fullword ascii
$x2 = "cmd += \"D=-l%s \" % self.options.LISTEN_PORT" fullword ascii
condition:
( uint16(0) == 0x2123 and filesize < 80KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Legitimate Python Script for Internal Tooling
Description: A Python script named magicjack_v1.1.0.0_client-1.1.0.0.py is used internally by the DevOps team to automate infrastructure provisioning using Ansible.
Filter/Exclusion: process.name != "python" OR process.args contains "ansible-playbook" OR process.parent.name contains "ansible"
Scenario: Scheduled Job for Log Parsing
Description: A scheduled job runs a Python script with the same name to parse and normalize log files from multiple servers.
Filter/Exclusion: process.name != "python" OR process.args contains "log_parser" OR process.parent.name contains "cron"
Scenario: Internal Security Tool for Threat Hunting
Description: The script is part of an internal security tool used by the SOC team to simulate attack scenarios and test detection rules.
Filter/Exclusion: process.name != "python" OR process.args contains "threat_hunting" OR process.parent.name contains "security_tool"
Scenario: Legacy Application with Similar Filename
Description: An older application uses a file with a similar name for configuration purposes, and the script is executed as part of its initialization.
Filter/Exclusion: process.name != "python" OR process.args contains "config_init" OR process.parent.name contains "legacy_app"
Scenario: User-Initiated Script for System Maintenance
Description: A system administrator runs the script manually to perform routine maintenance tasks, such as user account cleanup or system audit.
Filter/Exclusion: process.name != "python" OR process.args contains "maintenance" OR process.parent.name contains "explorer" OR process.parent.name contains "cmd.exe"