Equation Group hack tool leaked by ShadowBrokers- file slugger2

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of the leaked Equation Group tool ‘slugger2’ to manipulate or exfiltrate data from targeted systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat activity leveraging compromised hacking tools.

YARA Rule

rule EquationGroup_slugger2 {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file slugger2"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "a6a9ab66d73e4b443a80a69ef55a64da7f0af08dfaa7e17eb19c327301a70bdf"
   strings:
      $x1 = "usage: %s hostip port cmd [printer_name]" fullword ascii
      $x2 = "command must be less than 61 chars" fullword ascii

      $s1 = "__rw_read_waiting" fullword ascii
      $s2 = "completed.1" fullword ascii
      $s3 = "__mutexkind" fullword ascii
      $s4 = "__rw_pshared" fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 50KB and ( 4 of them and 1 of ($x*) ) ) or ( all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate Use of slugg2.exe by System Administrators
  Description: A system administrator may use slugg2.exe as part of a legitimate forensic or malware analysis toolset.
  Filter/Exclusion: Exclude processes where the parent process is a known security tool (e.g., Process Explorer, Wireshark, or Volatility) or where the file path is within a trusted security analysis directory (e.g., C:\Tools\Analysis).

• Scenario: Scheduled Job for File Compression or Archiving
  Description: A scheduled task may run slugg2.exe to compress or archive files as part of a regular data management process.
  Filter/Exclusion: Exclude processes where the command line includes compression or archiving parameters (e.g., -c, -a) or where the destination path is a standard backup directory (e.g., C:\Backups).

• Scenario: Use of slugg2.exe by a Security Tool for Memory Analysis
  Description: A security tool like Volatility or Rekall may use slugg2.exe as part of memory dump analysis or forensic investigation.
  Filter/Exclusion: Exclude processes where the parent process is a known memory analysis tool (e.g., vol.py, rekt.py) or where the file is part of a forensic analysis environment (e.g., C:\Forensics).

• Scenario: Legitimate File Manipulation by a System Maintenance Tool
  Description: A system maintenance or file management tool (e.g., CCleaner, Disk Cleanup) may use slugg2.exe for file processing tasks.
  Filter/Exclusion: Exclude processes where the file path is within a system maintenance directory (e.g., C:\Windows\Temp) or