The detection identifies potential use of the Equation Group hack tool, which may indicate adversary presence or compromise within a system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging leaked malware.
YARA Rule
rule EquationGroup__pclean_v2_1_1_pclean_v2_1_1_4 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- from files pclean.v2.1.1.0-linux-i386, pclean.v2.1.1.0-linux-x86_64"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
super_rule = 1
hash1 = "cdb5b1173e6eb32b5ea494c38764b9975ddfe83aa09ba0634c4bafa41d844c97"
hash2 = "ab7f26faed8bc2341d0517d9cb2bbf41795f753cd21340887fc2803dc1b9a1dd"
strings:
$s1 = "-c cmd_name: strncmp() search for 1st %d chars of commands that " fullword ascii
$s2 = "e.g.: -n 1-1024,1080,6666,31337 " fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 50KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Legitimate system cleanup tool execution
Description: The pclean tool is a legitimate system cleanup utility used by IT administrators to remove temporary files and optimize system performance.
Filter/Exclusion: Check the process owner (user.name == “root” or “admin”) and verify if the file path is within a known system cleanup directory (e.g., /opt/pclean/ or /usr/local/bin/pclean).
Additional Context: Use process.parent to identify if the process was initiated by a known administrative task or scheduled job (e.g., cron, systemd, or at).
Scenario: Scheduled maintenance task using pclean
Description: IT administrators may schedule pclean to run periodically as part of routine system maintenance.
Filter/Exclusion: Filter by process.parent to identify if the process was initiated by a scheduled task (e.g., cron job or systemd timer).
Additional Context: Check the command line arguments for known maintenance parameters (e.g., --clean, --optimize).
Scenario: Security tool or endpoint protection using pclean
Description: Some endpoint security tools or third-party security software may use a tool with a similar name (e.g., pclean) for system sanitization or threat removal.
Filter/Exclusion: Check the file hash against a known good hash of the legitimate security tool.
Additional Context: Use file.hash to verify the file is not the malicious pclean binary from the Equation Group.
Scenario: Malware analysis or sandbox environment
Description: Security researchers or incident responders may run the pclean tool in a sandbox or malware analysis environment as part of forensic investigation.
Filter/Exclusion: Filter by `process.parent