Equation Group hack tool leaked by ShadowBrokers- file parsescan

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of the Equation Group hack tool, parsescan, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated cyber threats.

YARA Rule

rule EquationGroup_parsescan {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file parsescan"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef"
   strings:
      $s1 = "$gotgs=1 if (($line =~ /Scan for (Sol|SNMP)\\s+version/) or" fullword ascii
      $s2 = "Usage:  $prog [-f file] -p prognum [-V ver] [-t proto] -i IPadr" fullword ascii
   condition:
      filesize < 250KB and 1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Scheduled System File Scan by Antivirus Software
  Description: A legitimate scheduled scan by an enterprise antivirus tool (e.g., Kaspersky, Bitdefender) may trigger the rule due to parsing of system files.
  Filter/Exclusion: process.name != "avscan.exe" OR process.name != "kavscan.exe"

• Scenario: Windows System File Parser Tool Usage
  Description: The use of Windows built-in tools like parse.exe or fileparse.exe for analyzing file systems or logs can match the detection logic.
  Filter/Exclusion: process.name != "parse.exe" AND process.name != "fileparse.exe"

• Scenario: Admin Task to Analyze Malware Samples
  Description: Security analysts may use tools like IDA Pro, Ghidra, or Binary Ninja to analyze malware samples, which could trigger the rule due to file parsing behavior.
  Filter/Exclusion: process.name != "idaq.exe" AND process.name != "ghidra" AND process.name != "binaryninja"

• Scenario: PowerShell Script for File Analysis
  Description: A PowerShell script used for forensic analysis or log parsing (e.g., Get-ChildItem, Get-Content) may be flagged due to file parsing activity.
  Filter/Exclusion: process.name != "powershell.exe" OR process.command_line NOT LIKE "*Get-ChildItem*" AND process.command_line NOT LIKE "*Get-Content*"

• Scenario: Automated Log Parsing Job
  Description: A scheduled job running a log parsing tool (e.g., LogParser, ELK stack, or Splunk) may trigger the rule due to file parsing behavior.
  Filter/Exclusion: `process.name != “logparser.exe” AND process.name != “spl