Equation Group hack tool set

Hunt Hypothesis

The Equation Group hack tool set is likely used by advanced adversaries to establish persistent access and exfiltrate data within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term compromise and mitigate data loss risks.

YARA Rule

rule EquationGroup_morerats_client_genkey {
   meta:
      description = "Equation Group hack tool set"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-09"
      hash1 = "0ce455fb7f46e54a5db9bef85df1087ff14d2fc60a88f2becd5badb9c7fe3e89"
   strings:
      $x1 = "rsakey_txt = lo_execute('openssl genrsa 2048 2> /dev/null | openssl rsa -text 2> /dev/null')" fullword ascii
      $x2 = "client_auth = binascii.hexlify(lo_execute('openssl rand 16'))" fullword ascii
   condition:
      ( filesize < 3KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate system update or patching using the Equation Group toolset (e.g., EquationGroupUpdater.exe)
  Filter/Exclusion: Check for execution context (e.g., ProcessStartInfo.UserName == "System" or ProcessStartInfo.Arguments.Contains("/quiet"))

• Scenario: Scheduled job running the Equation Group tool for forensic analysis or data collection (e.g., EquationGroupCollector.exe)
  Filter/Exclusion: Filter by ProcessStartInfo.Source == "Scheduled Tasks" or ProcessStartInfo.CommandLine.Contains("/scheduled")

• Scenario: Admin performing a security audit using a tool named after the Equation Group (e.g., EquationGroupAuditTool.exe)
  Filter/Exclusion: Check for ProcessStartInfo.UserName == "Administrator" and ProcessStartInfo.CommandLine.Contains("/audit")

• Scenario: Legitimate enterprise tool with similar naming (e.g., EquationGroupConfig.exe) used for configuration management
  Filter/Exclusion: Filter by ProcessStartInfo.CommandLine.Contains("/config") or ProcessStartInfo.Arguments.Contains("setup")

• Scenario: Malicious actor using a tool with the same name as the Equation Group toolset to mimic legitimate activity
  Filter/Exclusion: Check for ProcessStartInfo.CommandLine.Contains("malicious") or use a reputation-based filter to exclude known benign tools