The hunt hypothesis detects potential adversary use of the Equation Group hack tool, which was leaked by ShadowBrokers, to execute malicious file operations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat activity that may leverage outdated but highly effective exploitation tools.
YARA Rule
rule EquationGroup_smash {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file smash"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "1dc94b46aaff06d65a3bf724c8701e5f095c1c9c131b65b2f667e11b1f0129a6"
strings:
$x1 = "T=<target IP> [O=<port>] Y=<target type>" fullword ascii
$x2 = "no command given!! bailing..." fullword ascii
$x3 = "no port. assuming 22..." fullword ascii
condition:
filesize < 250KB and 1 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup job, may trigger the rule due to the presence of the word “smash” in the task name or command line.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known maintenance task names (e.g., CleanupTask, DiskCleanup).
Scenario: File System Integrity Check Using fsutil
Description: The fsutil.exe tool is used for file system operations, and certain commands may include the word “smash” in their output or log entries, leading to a false positive.
Filter/Exclusion: Exclude processes where the command line includes fsutil and the operation is related to disk checks or file system integrity.
Scenario: Admin Task Using PowerShell to Delete Temporary Files
Description: A PowerShell script run by an admin to delete temporary files might use a command like Remove-Item with a wildcard that includes “smash” in the path.
Filter/Exclusion: Exclude PowerShell scripts executed by admin users with paths containing temporary directories (e.g., C:\Windows\Temp\*).
Scenario: Antivirus Quarantine Process
Description: Antivirus software may move files to quarantine, and the process name or log might contain the term “smash” when describing the action.
Filter/Exclusion: Exclude processes related to antivirus quarantine operations (e.g., MsMpEng.exe, Windows Defender).
Scenario: Log File Rotation or Compression Using RoboCopy
Description: The robocopy.exe tool is used for file copying and may include the word “smash” in log entries or command lines during log rotation or compression tasks.