Equation Group hack tool set

Hunt Hypothesis

The Equation Group hack tool set is likely used by advanced adversaries to establish persistent access and exfiltrate data through compromised Azure environments. SOC teams should proactively hunt for this behavior to identify and mitigate potential long-term persistence and data theft operations.

YARA Rule

rule EquationGroup_noclient_3_3_2 {
   meta:
      description = "Equation Group hack tool set"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-09"
      hash1 = "3cf0eb010c431372af5f32e2ee8c757831215f8836cabc7d805572bb5574fc72"
   strings:
      $x1 = "127.0.0.1 is not advisable as a source. Use -l 127.0.0.1 to override this warning" fullword ascii
      $x2 = "iptables -%c OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;" fullword ascii
      $x3 = "noclient: failed to execute %s: %s" fullword ascii
      $x4 = "sh -c \"ping -c 2 %s; grep %s /proc/net/arp >/tmp/gx \"" fullword ascii
      $s5 = "Attempting connection from 0.0.0.0:" ascii
   condition:
      ( filesize < 1000KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job using msiexec for software updates
  Description: A system administrator schedules a task using msiexec to deploy a legitimate software update.
  Filter/Exclusion: Exclude processes where msiexec is used with known update package names (e.g., KB123456.msu) or where the process is initiated by a trusted service account.

• Scenario: Admin task using regedit to modify registry settings
  Description: A system administrator uses regedit to configure enterprise-wide registry settings for compliance or security purposes.
  Filter/Exclusion: Exclude processes where regedit is executed by a domain admin account and the registry path is within a known enterprise configuration directory (e.g., HKLM\Software\Policies).

• Scenario: Use of certutil for certificate management
  Description: A security team member uses certutil to install or manage trusted certificates on a server.
  Filter/Exclusion: Exclude processes where certutil is used with known certificate store paths (e.g., -addstore -user TrustedPublisher) or executed by a certificate service account.

• Scenario: PowerShell script using Invoke-WebRequest for configuration pulls
  Description: A script runs via PowerShell to pull configuration files from a secure internal server using Invoke-WebRequest.
  Filter/Exclusion: Exclude processes where the script is signed by a trusted certificate, executed from a known configuration directory, and uses a whitelisted internal URL.

• Scenario: Use of icacls for file permission management
  Description: An IT staff member uses icacls to adjust file permissions on shared drives during routine maintenance.
  Filter/Exclusion: Exclude processes where icacls is executed by a domain admin account and the