The detection identifies potential use of the Equation Group hack tool ‘telex’ leaked by ShadowBrokers, which could indicate adversarial activity leveraging advanced persistent threat capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise from sophisticated cyber adversaries.
YARA Rule
rule EquationGroup_telex {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file telex"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "e9713b15fc164e0f64783e7a2eac189a40e0a60e2268bd7132cfdc624dfe54ef"
strings:
$x1 = "usage: %s -l [ netcat listener ] [ -p optional target port instead of 23 ] <ip>" fullword ascii
$x2 = "target is not vulnerable. exiting" fullword ascii
$s3 = "Sending final buffer: evil_blocks and shellcode..." fullword ascii
$s4 = "Timeout waiting for daemon to die. Exploit probably failed." fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 50KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate use of telex for encrypted communication
Description: A security team or internal admin uses the telex tool (a real encryption tool) for secure internal communication or data transfer.
Filter/Exclusion: Exclude processes where the telex executable is executed by users in the security or admin group, or where the command line includes known internal communication flags or IP ranges.
Scenario: Scheduled job running telex for data backup
Description: A scheduled job uses telex to encrypt and transfer backup data to a secure storage location.
Filter/Exclusion: Exclude processes initiated by the system scheduler (e.g., cron, task scheduler) and where the destination IP is a known internal backup server.
Scenario: Admin using telex to secure sensitive logs
Description: An admin uses telex to encrypt sensitive system logs before sending them to a centralized log management system.
Filter/Exclusion: Exclude processes where the user is a domain admin and the destination is a known log management system (e.g., SIEM server IP).
Scenario: Telex used as part of a legitimate penetration test
Description: A red team or security consultant uses telex as part of a controlled penetration test to simulate encrypted data exfiltration.
Filter/Exclusion: Exclude processes where the user has a specific penetration testing role or where the activity is logged under a known test environment.
Scenario: Telex used for secure remote administration
Description: An admin uses telex to securely connect to remote systems for maintenance or troubleshooting.
Filter/Exclusion: Exclude processes where the user is a privileged admin and the connection is to a known internal network or remote management system.