Equation Group hack tool set

Hunt Hypothesis

The Equation Group hack tool set is associated with advanced persistent threats and may indicate the presence of sophisticated malware or espionage activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term compromise and mitigate advanced threats that may evade traditional detection methods.

YARA Rule

rule EquationGroup_morerats_client_Store {
   meta:
      description = "Equation Group hack tool set"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-09"
      hash1 = "619944358bc0e1faffd652b6af0600de055c5e7f1f1d91a8051ed9adf5a5b465"
   strings:
      $s1 = "[-] Failed to mmap file: %s" fullword ascii
      $s2 = "[-] can not NULL terminate input data" fullword ascii
      $s3 = "Missing argument for `-x'." fullword ascii
      $s4 = "[!] Value has size of 0!" fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 60KB and 2 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs the schtasks.exe tool to perform system maintenance, such as disk cleanup or log rotation.
  Filter/Exclusion: Exclude processes initiated by the schtasks.exe command with a known legitimate task name (e.g., CleanupTask or LogRotation).

• Scenario: Admin Using PowerShell for Configuration Management
  Description: An administrator uses PowerShell scripts (e.g., Invoke-Command, Set-ItemProperty) to configure system settings or deploy updates.
  Filter/Exclusion: Exclude processes with the powershell.exe executable where the command line includes known administrative tools or scripts (e.g., PSConfig, Update-Configuration).

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A security tool like Microsoft Defender or Bitdefender runs a full system scan using its own scanning engine.
  Filter/Exclusion: Exclude processes with the mpcmdrun.exe (Microsoft Defender) or bdagent.exe (Bitdefender) executable names.

• Scenario: Database Backup Job Execution
  Description: A database backup job (e.g., using sqlcmd.exe or mysqldump.exe) is executed as part of a routine maintenance process.
  Filter/Exclusion: Exclude processes initiated by known backup jobs (e.g., BackupJob_12345) or with command lines containing backup or restore keywords.

• Scenario: User-Initiated File Compression or Archiving
  Description: A user compresses files using a tool like WinRAR or 7-Zip (e.g., rar.exe or 7z.exe) for archival purposes.
  Filter/Exclusion: Exclude processes with the