The hunt hypothesis detects potential adversary use of the Equation Group hack tool, specifically the ‘promptkill’ file, which may indicate exploitation of known vulnerabilities by advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise from sophisticated threat actors leveraging leaked tools.
YARA Rule
rule EquationGroup_promptkill {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file promptkill"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "b448204503849926be249a9bafbfc1e36ef16421c5d3cfac5dac91f35eeaa52d"
strings:
$x1 = "exec(\"xterm $xargs -e /current/tmp/promptkill.kid.$tag $pid\");" fullword ascii
$x2 = "$xargs=\"-title \\\"Kill process $pid?\\\" -name \\\"Kill process $pid?\\\" -bg white -fg red -geometry 202x19+0+0\" ;" fullword ascii
condition:
filesize < 250KB and 1 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system caches, may trigger the rule due to the presence of the word “promptkill” in the task name or command line.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known benign command-line arguments or tasks that match a predefined list of system maintenance tasks.
Scenario: Admin Task to Kill Non-Responsive Processes
Description: A system administrator may use a script or tool like taskkill.exe or pskill.exe to terminate non-responsive processes, which could include the string “promptkill” in the script or command.
Filter/Exclusion: Exclude processes executed by users with administrative privileges that match known administrative scripts or commands used for process termination.
Scenario: PowerShell Script for Process Management
Description: A PowerShell script, such as one used for managing services or processes, may include the term “promptkill” in a comment or variable name, leading to a false positive.
Filter/Exclusion: Exclude PowerShell scripts that are signed by a trusted enterprise certificate or that match known internal scripting standards.
Scenario: Antivirus or Endpoint Protection Tool
Description: Some endpoint protection tools, such as Bitdefender or Kaspersky, may use internal tools or scripts that include the term “promptkill” in their internal logic or logging.
Filter/Exclusion: Exclude processes associated with known endpoint protection vendors or those running from their protected directories.
Scenario: Custom Script for Application Pool Recycling
Description: A custom script used to recycle IIS application pools or manage web server processes may include the term “promptkill” in the script name or logic, especially if it’s used to forcefully stop services.
*