Equation Group hack tool set

Hunt Hypothesis

The Equation Group hack tool set is associated with advanced persistent threats and may indicate the presence of sophisticated malware or espionage activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term compromise and mitigate advanced threats before they cause significant damage.

YARA Rule

rule EquationGroup_morerats_client_addkey {
   meta:
      description = "Equation Group hack tool set"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-09"
      hash1 = "6c67c03716d06a99f20c1044585d6bde7df43fee89f38915db0b03a42a3a9f4b"
   strings:
      $x1 = "print '  -s storebin  use storebin as the Store executable\\n'" fullword ascii
      $x2 = "os.system('%s --file=\"%s\" --wipe > /dev/null' % (storebin, b))" fullword ascii
      $x3 = "print '  -k keyfile   the key text file to inject'" fullword ascii
   condition:
      ( filesize < 20KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system components.
  Filter/Exclusion: Exclude processes associated with schtasks.exe that match known maintenance job names (e.g., CleanupTempFiles, WindowsUpdate).

• Scenario: Admin Tool for Network Configuration
  Description: Use of netsh.exe to configure network settings, such as setting up a static route or modifying firewall rules.
  Filter/Exclusion: Exclude processes where netsh.exe is used with known legitimate command-line arguments (e.g., netsh interface ip set address).

• Scenario: Log File Analysis with PowerShell
  Description: A security analyst using PowerShell (powershell.exe) to analyze log files for suspicious activity, such as parsing Event Viewer logs.
  Filter/Exclusion: Exclude processes where powershell.exe is invoked with scripts or commands related to log analysis (e.g., Get-EventLog, Get-WinEvent).

• Scenario: Software Deployment via Group Policy
  Description: A Group Policy Object (GPO) deployment using gpupdate.exe or gpresult.exe to push software updates or configuration settings to endpoints.
  Filter/Exclusion: Exclude processes initiated by gpupdate.exe or gpresult.exe during scheduled group policy refreshes.

• Scenario: Antivirus or EDR Tool Scan
  Description: A security tool like Windows Defender or CrowdStrike Falcon performing a full system scan using its own executable (e.g., MsMpEng.exe, falcon.exe).
  Filter/Exclusion: Exclude processes where the executable is known to be part of a legitimate endpoint protection product (e.g., `Ms