Equation Group hack tool leaked by ShadowBrokers- file scripme

Hunt Hypothesis

The detection identifies potential adversary use of the Equation Group hack tool, scripme, which may indicate exploitation of known vulnerabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threats leveraging leaked malware.

YARA Rule

rule EquationGroup_scripme {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file scripme"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "a1adf1c1caad96e7b7fd92cbf419c4cfa13214e66497c9e46ec274a487cd098a"
   strings:
      $x1 = "running \\\"tcpdump -n -n\\\", on the environment variable \\$INTERFACE, scripted" fullword ascii
      $x2 = "Cannot read $opetc/scripme.override -- are you root?" ascii
      $x3 = "$ENV{EXPLOIT_SCRIPME}" ascii
      $x4 = "$opetc/scripme.override" ascii
   condition:
      ( filesize < 30KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job using scripme for script execution
  Description: A system administrator schedules a PowerShell script using scripme as part of a legitimate automation task.
  Filter/Exclusion: Exclude processes where the command line includes scripme and the script path is within a known admin tools directory (e.g., C:\Windows\System32\ or C:\Program Files\).

• Scenario: Use of scripme by a legitimate security tool for analysis
  Description: A security tool or incident response platform uses scripme to execute scripts for forensic analysis or malware unpacking.
  Filter/Exclusion: Exclude processes where the parent process is a known security tool (e.g., Process Explorer, ProcMon, or Wireshark).

• Scenario: Administrative task involving script execution via scripme
  Description: An admin runs a script using scripme to perform routine system maintenance or configuration changes.
  Filter/Exclusion: Exclude processes where the user is a domain admin and the script path is within a known admin scripts directory (e.g., C:\AdminScripts\).

• Scenario: Use of scrip.m by a legitimate file-based scripting tool
  Description: A file-based scripting tool (e.g., PowerShell, Batch, or Python) uses scripme as part of its execution logic.
  Filter/Exclusion: Exclude processes where the file extension is .ps1, .bat, or .py, and the execution context is within a known scripting environment.

• Scenario: False positive from a third-party tool using scripme as a module name
  Description: A third-party application or framework uses scripme as a module