The detection identifies potential adversary use of the leaked Equation Group tool ‘porkclient’ to establish covert communication channels, indicating possible advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by sophisticated adversaries leveraging leaked malware.
YARA Rule
rule EquationGroup_porkclient {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file porkclient"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "5c14e3bcbf230a1d7e2909876b045e34b1486c8df3c85fb582d9c93ad7c57748"
strings:
$s1 = "-c COMMAND: shell command string" fullword ascii
$s2 = "Cannot combine shell command mode with args to do socket reuse" fullword ascii
$s3 = "-r: Reuse socket for Nopen connection (requires -t, -d, -f, -n, NO -c)" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 30KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate System Update or Patch Deployment
Description: A system update or patch deployment process may include files with similar names to the malicious porkclient tool, especially if the update includes legacy or third-party components.
Filter/Exclusion: Check for file hashes against known legitimate updates or use a filter like file_name != "porkclient.exe" or process_name != "patch_installer.exe".
Scenario: Scheduled Job for Log Collection or Monitoring
Description: A scheduled job might use a tool with a similar name to porkclient for log collection or monitoring purposes, especially in environments with custom monitoring tools.
Filter/Exclusion: Use a filter like process_name != "log_collector.exe" or check for process_parent_name == "task scheduler" to identify legitimate scheduled tasks.
Scenario: Administrative Task Using a Similar Tool
Description: An administrator might use a legitimate tool with a similar name (e.g., porkclient) for network testing or diagnostic purposes, such as using nmap or tcpdump in a controlled environment.
Filter/Exclusion: Filter by process_name != "nmap.exe" or process_name != "tcpdump.exe" and check for user_account == "admin" to differentiate from malicious activity.
Scenario: File Integrity Monitoring Tool
Description: A file integrity monitoring (FIM) tool might generate files with names similar to porkclient during its operation, especially when scanning or logging file changes.
Filter/Exclusion: Use a filter like process_name != "fim_tool.exe" or check for process_parent_name == "system" to identify legitimate system processes.
Scenario: Legacy or Unused Software in the Environment
Description: An outdated or unused software package might include a