Equation Group hack tool leaked by ShadowBrokers- file tnmunger

Hunt Hypothesis

The detection identifies potential adversary use of the Equation Group hack tool, tnmunger, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated cyber adversaries.

YARA Rule

rule EquationGroup_tnmunger {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file tnmunger"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "1ab985d84871c54d36ba4d2abd9168c2a468f1ba06994459db06be13ee3ae0d2"
   strings:
      $s1 = "TEST: mungedport=%6d  pp=%d  unmunged=%6d" fullword ascii
      $s2 = "mungedport=%6d  pp=%d  unmunged=%6d" fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 10KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job using tnmunger tool
  Description: A system administrator schedules a legitimate maintenance task using the tnmunger tool for network monitoring or configuration management.
  Filter/Exclusion: Exclude processes where the command line includes -s or -t flags used for scheduled tasks, or filter by user root/Administrator with a known maintenance script.

• Scenario: Network monitoring tool using tnmunger
  Description: A security team uses the tnmunger tool as part of a network monitoring solution to analyze traffic patterns or detect anomalies.
  Filter/Exclusion: Exclude processes where the parent process is a known monitoring tool (e.g., snort, wireshark, or tcpdump) or filter by a specific network interface used for monitoring.

• Scenario: System update or patching using tnmunger
  Description: A patching tool or update manager uses tnmunger to apply system updates or configuration changes across the network.
  Filter/Exclusion: Exclude processes where the command line includes -u or -p flags for update operations, or filter by a known patching tool (e.g., WSUS, SCCM, or Ansible).

• Scenario: Backup or replication task using tnmunger
  Description: A backup solution uses tnmunger to replicate data between systems or verify backups.
  Filter/Exclusion: Exclude processes where the command line includes -b or -r flags for backup/replication, or filter by a known backup tool (e.g., Veeam, Commvault, or rsync).

• Scenario: Custom script or automation using tnmunger
  Description: A custom script or automation tool uses