The detection identifies potential exploitation of the Equation Group hack tool, sshobo, which may indicate adversary use of leaked advanced persistent threat capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threat activity early.
YARA Rule
rule EquationGroup_sshobo {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file sshobo"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "c7491898a0a77981c44847eb00fb0b186aa79a219a35ebbca944d627eefa7d45"
strings:
$x1 = "Requested forwarding of port %d but user is not root." fullword ascii
$x2 = "internal error: we do not read, but chan_read_failed for istate" fullword ascii
$x3 = "~# - list forwarded connections" fullword ascii
$x4 = "packet_inject_ignore: block" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 600KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate SSH Configuration File Update
Description: A system administrator updates the SSH configuration file (/etc/ssh/sshd_config) as part of routine maintenance or security hardening.
Filter/Exclusion: Check for file modification by a known admin user (e.g., root or admin) and verify the file path matches a standard SSH config location.
Scenario: Scheduled Job Using sshobo as a Script Name
Description: A scheduled job (e.g., via cron or Task Scheduler) runs a script named sshobo that is part of a legitimate automation tool or internal script repository.
Filter/Exclusion: Filter by process owner (e.g., system, service, or user) and check if the script is located in a known internal script directory (e.g., /opt/scripts/).
Scenario: File Integrity Monitoring Tool Generating Alerts
Description: A file integrity monitoring (FIM) tool like Tripwire or OSSEC flags the sshobo file as a change due to legitimate configuration updates or file rotations.
Filter/Exclusion: Exclude files that are part of FIM tool configurations or known baseline files.
Scenario: Malware Analysis Lab Environment
Description: The sshobo file is part of a malware analysis lab setup where the tool is used for testing and analysis of Equation Group artifacts.
Filter/Exclusion: Filter based on the source IP or network segment used for internal security research and analysis.
Scenario: Legitimate File Transfer via SFTP
Description: A file named sshobo is transferred via SFTP as part of a legitimate data transfer process, such as backup or log file exchange.
Filter/Exclusion: Check for file transfer via known SFTP users and verify the file type and