Equation Group hack tool set

Hunt Hypothesis

The Equation Group hack tool set is associated with advanced persistent threat actors and may indicate the presence of sophisticated malware or covert data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term adversary presence and mitigate advanced threats before they escalate.

YARA Rule

rule EquationGroup_tmpwatch {
   meta:
      description = "Equation Group hack tool set"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-09"
      hash1 = "65ed8066a3a240ee2e7556da74933a9b25c5109ffad893c21a626ea1b686d7c1"
   strings:
      $s1 = "chown root:root /tmp/.scsi/dev/bin/gsh" fullword ascii
      $s2 = "chmod 4777 /tmp/.scsi/dev/bin/gsh" fullword ascii
   condition:
      ( filesize < 1KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate System Maintenance Task
  Description: A system administrator is using the EquationGroup tool (e.g., eqg.exe) as part of a scheduled maintenance job to clean up temporary files or update system configurations.
  Filter/Exclusion: Check for presence of known admin credentials in the process owner field, or filter by process name with a known legitimate purpose (e.g., eqg.exe used in a documented maintenance script).

• Scenario: Scheduled Job for Log Analysis
  Description: A scheduled job runs a script that uses the Equation Group tool to parse and analyze system logs, which is part of the enterprise’s log management process.
  Filter/Exclusion: Filter by process execution context (e.g., SYSTEM or a known log analysis service account), or check for presence of log analysis-related command-line arguments.

• Scenario: Third-Party Software Update
  Description: A third-party software update package includes a component named EquationGroup, which is used for patching or configuration during installation.
  Filter/Exclusion: Filter by file path (e.g., C:\Program Files\ThirdParty\eqg.exe), or check for presence of a known update package signature or hash.

• Scenario: Security Tool for Threat Hunting
  Description: A security team uses a tool named EquationGroup as part of their threat hunting toolkit to simulate attack scenarios or analyze network traffic.
  Filter/Exclusion: Filter by user context (e.g., SecurityTeamUser), or check for presence of a known threat-hunting tool identifier in the process metadata.

• Scenario: Legacy System Compatibility Check
  Description: A legacy system compatibility check uses the Equation Group tool to verify system integrity or compatibility with older software.
  Filter/Exclusion: Filter by machine name (e.g