The detection identifies potential adversary use of the Equation Group hack tool, toast_v3.2.0.1-linux, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated cyber adversaries.
YARA Rule
rule EquationGroup_toast_v3_2_0 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file toast_v3.2.0.1-linux"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "2ce2d16d24069dc29cf1464819a9dc6deed38d1e5ffc86d175b06ddb691b648b"
strings:
$x2 = "Del --- Usage: %s -l file -w wtmp -r user" fullword ascii
$s5 = "Roasting ->%s<- at ->%d:%d<-" fullword ascii
$s6 = "rbnoil -Roasting ->" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 50KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate System Update or Patch Deployment
Description: A system administrator deploys a legitimate update or patch that includes a file with a similar name to the malicious file.
Filter/Exclusion: Check the file’s hash against a known good hash database or use a file integrity monitoring tool to verify the file’s legitimacy.
Example: file_hash = "known_good_hash"
Scenario: Scheduled Job Running Toast Tool for System Maintenance
Description: A scheduled job (e.g., cron job) runs a legitimate maintenance script that includes a tool with a similar name to the malicious file.
Filter/Exclusion: Verify the process owner and check if the process is associated with a known legitimate job or service.
Example: process_owner = "root" AND process_name = "system_maintenance.sh"
Scenario: Security Tool or EDR Agent Using Toast for Log Collection
Description: A security tool or endpoint detection and response (EDR) agent uses a tool named similarly to the malicious file for log collection or monitoring.
Filter/Exclusion: Check the process name and parent process to confirm it is part of a known security tool.
Example: process_name = "log_collector" AND parent_process = "edr_agent"
Scenario: Admin Task Involving File Manipulation or Debugging
Description: A system administrator performs a file manipulation or debugging task using a tool with a similar name to the malicious file.
Filter/Exclusion: Filter by user context (e.g., user = "admin") and check for known administrative tasks in the process command line.
Example: command_line = "debug_file.sh" AND user = "admin"
Scenario: Legacy Tool or Script with Similar Name
Description: An old or