The Equation Group hack tool set may indicate the presence of advanced persistent threats leveraging sophisticated, previously unknown attack vectors. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term adversary persistence and data exfiltration activities.
YARA Rule
rule EquationGroup_orleans_stride_sunos5_9_v_2_4_0 {
meta:
description = "Equation Group hack tool set"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-09"
hash1 = "6a30efb87b28e1a136a66c7708178c27d63a4a76c9c839b2fc43853158cb55ff"
strings:
$s1 = "_lib_version" fullword ascii
$s2 = ",%02d%03d" fullword ascii
$s3 = "TRANSIT" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 200KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe to perform system maintenance (e.g., disk cleanup, log rotation) that matches the behavior of the Equation Group toolset.
Filter/Exclusion: Check for schtasks.exe with a known maintenance task name or path in the System32 directory.
Scenario: Windows Update or Patching Process
Description: The Equation Group toolset may resemble the behavior of Windows Update or patching utilities, such as using msiexec.exe or wuauclt.exe to install updates.
Filter/Exclusion: Filter out processes associated with Windows Update or Microsoft Update services, or check for known update MSI package hashes.
Scenario: Admin Tool for System Monitoring
Description: A legitimate administrative tool like perfmon.exe (Performance Monitor) or eventvwr.exe (Event Viewer) may be used in a way that mimics the Equation Group toolset.
Filter/Exclusion: Exclude processes associated with known monitoring tools or check for process parentage from trusted system services.
Scenario: Antivirus or Endpoint Protection Scan
Description: Antivirus tools like msseces.exe (Microsoft Security Essentials) or mpsvc.exe (Microsoft Defender) may exhibit similar behavior to the Equation Group toolset during a scan.
Filter/Exclusion: Exclude processes with known antivirus or endpoint protection signatures, or filter by process names associated with security software.
Scenario: Custom Script for Log Analysis
Description: A legitimate PowerShell script or batch file used for log analysis or system diagnostics may trigger the same detection logic as the Equation Group toolset.
Filter/Exclusion: Filter by script execution context (e.g., user account, execution time), or