Equation Group hack tool leaked by ShadowBrokers- file porkserver

Hunt Hypothesis

The detection identifies potential adversary use of the leaked Equation Group tool ‘porkserver’ to establish covert command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat activity that may evade traditional detection methods.

YARA Rule

rule EquationGroup_porkserver {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file porkserver"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "7b5f86e289047dd673e8a09438d49ec43832b561bac39b95098f5bf4095b8b4a"
   strings:
      $s1 = "%s/%s server failing (looping), service terminated" fullword ascii
      $s2 = "getpwnam: %s: No such user" fullword ascii
      $s3 = "execv %s: %m" fullword ascii
      $s4 = "%s/%s: unknown service" fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 70KB and 3 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job using porkserver for internal monitoring
  Description: A system administrator uses a custom script named porkserver as part of a scheduled job to monitor system health or collect logs.
  Filter/Exclusion: Exclude processes where the file path contains C:\Windows\System32\ or where the process is initiated by a known administrative task (e.g., Task Scheduler with a known job name).

• Scenario: Security tool or SIEM integration using porkserver
  Description: A security tool or SIEM system (e.g., Splunk, ELK) uses a script named porkserver to interface with internal systems for data collection or correlation.
  Filter/Exclusion: Exclude processes where the parent process is a known SIEM or security tool (e.g., splunkd.exe, logstash.exe) or where the file path includes a known security tool directory.

• Scenario: Internal development or testing environment using porkserver
  Description: A development team uses a script named porkserver as part of an internal testing or CI/CD pipeline to simulate network traffic or test system behavior.
  Filter/Exclusion: Exclude processes running from a known development directory (e.g., C:\Dev\) or where the process is initiated by a known CI/CD tool (e.g., Jenkins.exe, GitLab-runner.exe).

• Scenario: System update or patching tool using porkserver
  Description: A patching or update tool (e.g., Microsoft Update, SCCM) uses a script named porkserver to manage system configuration or apply patches.
  Filter/Exclusion: Exclude processes where the parent process is a known patching tool (e.g., msiexec.exe,