The hypothesis is that the detection identifies potential adversary activity involving the Equation Group hack tool, which may indicate the presence of advanced persistent threats leveraging leaked exploit capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated adversaries using known exploit tools.
YARA Rule
rule EquationGroup__scanner_scanner_v2_1_2 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
super_rule = 1
hash1 = "dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222"
hash2 = "9807aaa7208ed6c5da91c7c30ca13d58d16336ebf9753a5cea513bcb59de2cff"
strings:
$s1 = "Welcome to the network scanning tool" fullword ascii
$s2 = "Scanning port %d" fullword ascii
$s3 = "/current/down/cmdout/scans" fullword ascii
$s4 = "Scan for SSH version" fullword ascii
$s5 = "program vers proto port service" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 100KB and 2 of them ) or ( all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Legitimate System File Scan
Description: A security tool or endpoint protection software (e.g., Windows Defender, CrowdStrike, or third-party antivirus) performs a routine scan and detects the file scanner.v2.1.2 as part of its signature database.
Filter/Exclusion: Use a file hash filter to exclude known legitimate hashes of the scanner tool or include a file type filter to exclude executable files from trusted security software.
Scenario: Scheduled System Maintenance Task
Description: A scheduled task (e.g., Task Scheduler) runs a script or tool that includes the scanner.v2.1.2 file as part of a legitimate system maintenance or patching process.
Filter/Exclusion: Exclude files associated with known system maintenance tasks or include a process name filter to exclude tasks related to system updates or maintenance.
Scenario: Software Update or Patch Deployment
Description: A patch or update from a trusted vendor (e.g., Microsoft, Cisco, or a third-party security tool) includes the scanner.v2.1.2 file as part of a legitimate update package.
Filter/Exclusion: Exclude files that match known update package hashes or include a source IP filter to exclude internal or trusted update servers.
Scenario: Internal Security Tool Deployment
Description: An internal security team deploys a custom or third-party tool (e.g., Scanner.v2.1.2) for internal asset discovery or compliance checks.
Filter/Exclusion: Exclude files that match internal tool hashes or include a user or group filter to exclude activity from the internal security team.
Scenario: Malware Analysis Environment
Description: A malware analysis sandbox or lab environment runs the scanner.v2.1.2 tool as part of a controlled analysis of suspected malicious files.
**Filter/