Equation Group hack tool leaked by ShadowBrokers- file scanner

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of a leaked Equation Group file scanner tool, which may indicate reconnaissance or data exfiltration activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of advanced persistent threats leveraging known exploit tools.

YARA Rule

rule EquationGroup_scanner {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file scanner"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222"
   strings:
      $x1 = "program version netid     address             service         owner" fullword ascii
      $x4 = "*** Sorry about the raw output, I'll leave it for now" fullword ascii
      $x5 = "-scan winn %s one" fullword ascii
   condition:
      filesize < 250KB and 1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate System File Scan by Antivirus Software
  Description: Antivirus software may scan system files (e.g., ntoskrnl.exe, smss.exe) and flag them as potential threats due to their similarity to malicious binaries.
  Filter/Exclusion: Exclude files signed by Microsoft or known antivirus vendors, e.g., file_hash IN ('hash1', 'hash2') or file_name NOT LIKE '%ntoskrnl.exe%'.

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task (e.g., Task Scheduler job) may execute a file scanner or integrity check tool like sfc /scannow or DISM, which can trigger the rule.
  Filter/Exclusion: Exclude processes associated with Task Scheduler or sfc.exe, e.g., process_name = 'sfc.exe' or process_parent = 'Task Scheduler'.

• Scenario: Windows Update or Patching Process
  Description: During Windows updates, tools like wusa.exe or dism.exe may run and scan or modify system files, which could be flagged by the rule.
  Filter/Exclusion: Exclude processes related to Windows Update, e.g., process_name = 'wusa.exe' or process_name = 'dism.exe'.

• Scenario: Use of Legitimate Forensic Tools
  Description: Security teams may use forensic tools like Volatility or F-Response to analyze memory or disk images, which could contain binaries similar to the Equation Group tool.
  Filter/Exclusion: Exclude processes associated with known forensic tools, e.g., process_name LIKE '%volatility%' or process_name LIKE '%f-response%'.

• Scenario: Admin-Initiated File Integrity Check