The detection identifies potential adversary use of the leaked Equation Group tool pclean.v2.1.1.0-linux-i386, which may be used for persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat activity leveraging compromised or leaked tools.
YARA Rule
rule EquationGroup_pclean_v2_1_1_2 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file pclean.v2.1.1.0-linux-i386"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "cdb5b1173e6eb32b5ea494c38764b9975ddfe83aa09ba0634c4bafa41d844c97"
strings:
$s3 = "** SIGNIFICANTLY IMPROVE PROCESSING TIME" fullword ascii
$s6 = "-c cmd_name: strncmp() search for 1st %d chars of commands that " fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 40KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Legitimate system cleanup tool execution
Description: The pclean tool is a legitimate system cleanup utility used by some enterprise IT departments to remove temporary files and optimize system performance.
Filter/Exclusion: Check the file hash against a known good hash of the legitimate pclean tool. Exclude processes initiated by trusted IT service accounts or scheduled tasks associated with system maintenance.
Scenario: Scheduled maintenance job using pclean
Description: An enterprise may schedule regular maintenance jobs using pclean to clean up old logs or temporary files.
Filter/Exclusion: Exclude processes that originate from known maintenance schedules (e.g., cron jobs or Windows Task Scheduler) and are associated with system cleanup services.
Scenario: Security tool or endpoint protection using pclean
Description: Some endpoint protection tools or security software may use a similar tool named pclean for cleaning up malware artifacts or temporary files during scans.
Filter/Exclusion: Exclude processes that are initiated by known security tools (e.g., Windows Defender, Malwarebytes, or Kaspersky) or have a file path within the security software’s installation directory.
Scenario: User-initiated cleanup after system update
Description: A user may manually run pclean after a system update to remove old configuration files or temporary data.
Filter/Exclusion: Exclude processes initiated by non-admin users or those that occur outside of standard maintenance windows. Use user context filtering to identify non-privileged users.
Scenario: False positive from a third-party software package
Description: A third-party application may include a file named pclean as part of its installation or runtime, leading to a false positive.
Filter/Exclusion: Exclude processes that are part of known third-party software packages by checking the file path against a