Equation Group hack tool leaked by ShadowBrokers- file packrat

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of the Equation Group hack tool, specifically the file packrat component, which may indicate post-compromise data exfiltration or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat activity leveraging leaked tools.

YARA Rule

rule EquationGroup_packrat {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file packrat"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "d3e067879c51947d715fc2cf0d8d91c897fe9f50cae6784739b5c17e8a8559cf"
   strings:
      $x2 = "Use this on target to get your RAT:" fullword ascii
      $x3 = "$ratremotename && " fullword ascii
      $x5 = "$command = \"$nc$bindto -vv -l -p $port < ${ratremotename}\" ;" fullword ascii
   condition:
      ( filesize < 70KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate use of packrat for forensic data collection
  Description: A security analyst or incident responder uses the packrat tool (part of the Equation Group toolkit) to collect forensic data from a compromised system as part of an investigation.
  Filter/Exclusion: Exclude processes where the user is a security analyst or incident responder, or where the command line includes -f or -d flags indicating forensic mode.

• Scenario: Scheduled job using packrat for log aggregation
  Description: A scheduled task runs packrat to aggregate logs from multiple servers into a centralized log management system.
  Filter/Exclusion: Exclude processes initiated by a known log aggregation service or scheduled task with a specific name like log_aggregation_job.

• Scenario: System update or patching using a tool with similar name
  Description: A system update or patching tool (e.g., patchrat, syspatch) is mistakenly named or misconfigured to resemble packrat, triggering the rule.
  Filter/Exclusion: Exclude processes where the full path includes known update tools or where the command line contains update, patch, or install.

• Scenario: Admin task to collect system information
  Description: An administrator uses a script or tool that includes packrat to collect system information for reporting or compliance purposes.
  Filter/Exclusion: Exclude processes where the user is a domain admin or where the command line includes report, audit, or inventory.

• Scenario: Malware analysis using packrat in a sandboxed environment
  Description: A malware analyst uses packrat in a sandboxed environment to analyze the behavior of a suspected malicious file.
  Filter/Exclusion: Exclude processes running in a sandboxed environment (e.g., using `sandboxed