Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-lived, stealthy threats that may have evaded traditional detection mechanisms.

YARA Rule

rule EquationGroup_Toolset_Apr17_ActiveDirectory_Target {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "33c1b7fdee7c70604be1e7baa9eea231164e62d5d5090ce7f807f43229fe5c36"
   strings:
      $s1 = "(&(objectCategory=person)(objectClass=user)(cn=" fullword wide
      $s2 = "(&(objectClass=user)(objectCategory=person)" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled system maintenance or patching using Windows Update or Group Policy
  Filter/Exclusion: Check for ProcessName = "wuauclt.exe" or ProcessName = "gupdate.exe" and exclude based on known update processes.

• Scenario: Legitimate use of PowerShell for administrative tasks, such as script execution or configuration management
  Filter/Exclusion: Filter by ProcessName = "powershell.exe" and include only processes with known legitimate scripts or from trusted sources.

• Scenario: Execution of Windows Task Scheduler jobs for routine system tasks (e.g., log cleanup, backup jobs)
  Filter/Exclusion: Use ProcessName = "schtasks.exe" or check for CommandLine containing known task scheduler job names.

• Scenario: Use of Microsoft Sysinternals tools like Process Explorer or Procmon for troubleshooting
  Filter/Exclusion: Include ProcessName = "procexp.exe" or ProcessName = "procmon.exe" in the exclusion list.

• Scenario: Execution of Windows Defender or Windows Security components during a scan or update
  Filter/Exclusion: Filter by ProcessName = "MsMpEng.exe" or ProcessName = "WindowsDefender.exe" and exclude based on known security processes.