Equation Group hack tool set

Hunt Hypothesis

The Equation Group hack tool set is associated with advanced persistent threats and may indicate the presence of sophisticated malware or espionage activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term compromise and mitigate advanced threats before they escalate.

YARA Rule

rule EquationGroup_seconddate_ImplantStandalone_3_0_3 {
   meta:
      description = "Equation Group hack tool set"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-09"
      hash1 = "d687aa644095c81b53a69c206eb8d6bdfe429d7adc2a57d87baf8ff8d4233511"
   strings:
      $s1 = "EFDGHIJKLMNOPQRSUT" fullword ascii
      $s2 = "G8HcJ HcF LcF0LcN" fullword ascii
      $s3 = "GhHcJ0HcF@LcF0LcN8H" fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 1000KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate System Maintenance Task
  Description: A system administrator is running a scheduled maintenance job that uses a tool similar to those in the Equation Group toolkit, such as msiexec or regsvr32, to update or repair system components.
  Filter/Exclusion: Exclude processes initiated by scheduled tasks with known legitimate names (e.g., Task Scheduler or Windows Update). Use a filter like:

  (process.name = "msiexec.exe" or process.name = "regsvr32.exe") and (process.parent.name = "schtasks.exe" or process.parent.name = "svchost.exe")

• Scenario: Software Deployment via Group Policy
  Description: An IT department is deploying a legitimate software package using Group Policy, which may involve tools like msiexec or setup.exe that resemble Equation Group tools.
  Filter/Exclusion: Exclude processes initiated by Group Policy client services. Use a filter like:

  (process.name = "msiexec.exe" or process.name = "setup.exe") and (process.parent.name = "gpupdate.exe" or process.parent.name = "svchost.exe")

• Scenario: Security Tool or Antivirus Scan
  Description: A security tool or antivirus software (e.g., Microsoft Defender, Malwarebytes) may use similar command-line tools or scripts that match the Equation Group detection logic.
  Filter/Exclusion: Exclude processes associated with known security tools. Use a filter like:

  (process.name = "MsMpEng.exe" or process.name = "mbam.exe") and (process.parent.name = "svchost.exe" or process.parent.name = "taskeng.exe")

• Scenario: Scripted Administrative Task