Equation Group hack tool set

Hunt Hypothesis

The Equation Group hack tool set may indicate the presence of advanced persistent threats leveraging sophisticated, previously unknown malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term adversary activity and mitigate advanced threats before they escalate.

YARA Rule

rule EquationGroup_morerats_client_noprep {
   meta:
      description = "Equation Group hack tool set"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-09"
      hash1 = "a5b191a8ede8297c5bba790ef95201c516d64e2898efaeb44183f8fdfad578bb"
   strings:
      $x1 = "storestr = 'echo -n \"%s\" | Store --nullterminate --file=\"%s\" --set=\"%s\"' % (nopenargs, outfile, VAR_NAME)" fullword ascii
      $x2 = "The NOPEN-args provided are injected into infile if it is a valid" fullword ascii
      $x3 = " -i                do not autokill after 5 hours" fullword ascii
   condition:
      ( filesize < 9KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job running Equation Group tools for system diagnostics
  Filter/Exclusion: Exclude processes associated with scheduled tasks named “SystemDiagnosticCheck” or “EquationGroupMaintenance” using the process.name field.

• Scenario: Admin using Equation Group tools for forensic analysis
  Filter/Exclusion: Exclude processes initiated by users with the “ForensicAnalysis” privilege or those running under the “ForensicUser” account.

• Scenario: Automated patching tool using Equation Group binaries for compatibility
  Filter/Exclusion: Exclude processes where process.parent_process_name is “PatchManager.exe” or “SystemUpdateService.exe”.

• Scenario: Internal security team using Equation Group tools for red team exercises
  Filter/Exclusion: Exclude processes where user.name is “RedTeamUser” or “SecurityTesting” and process.command_line contains “redteam” or “exercise”.

• Scenario: Legacy system maintenance using Equation Group tools for compatibility with older OS
  Filter/Exclusion: Exclude processes running on systems with OS version less than Windows Server 2012 R2 or where process.parent_process_name is “LegacySystemManager.exe”.