Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of sophisticated, legacy malware that may persist undetected in the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that could evade traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17__AddResource {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      super_rule = 1
      hash1 = "e83e4648875d4c4aa8bc6f3c150c12bad45d066e2116087cdf78a4a4efbab6f0"
      hash2 = "5a04d65a61ef04f5a1cbc29398c767eada367459dc09c54c3f4e35015c71ccff"
   strings:
      $s1 = "%s cm 10 2000 \"c:\\MY DIR\\myapp.exe\" c:\\MyResourceData.dat" fullword ascii
      $s2 = "<PE path> - the path to the PE binary to which to add the resource." fullword ascii
      $s3 = "Unable to get path for target binary." fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 300KB and 2 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task running schtasks.exe or task scheduler to perform system maintenance (e.g., disk cleanup, log rotation).
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or taskhost.exe, and filter out tasks with known maintenance names (e.g., DiskCleanup, LogClean).

• Scenario: Windows Update or Patching Job
  Description: A legitimate Windows Update or patching job using wusa.exe or msiexec.exe to install updates.
  Filter/Exclusion: Filter out processes with wusa.exe or msiexec.exe and check for known update-related command lines (e.g., /quiet, /norestart).

• Scenario: Database Backup Job Using SQL Server Agent
  Description: A SQL Server Agent job running sqlservr.exe or sqlcmd.exe to perform a database backup.
  Filter/Exclusion: Check for ProcessName containing sqlservr.exe or sqlcmd.exe, and verify the command line includes backup-related parameters (e.g., -Q "BACKUP DATABASE").

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate antivirus or endpoint protection tool (e.g., Microsoft Defender, McAfee, Kaspersky) performing a full system scan.
  Filter/Exclusion: Filter out processes with known AV tool names (e.g., MsMpEng.exe, mcafee.exe, kavsvc.exe) and check for scan-related command lines (e.g., /fullscan, /quickscan).

• Scenario: PowerShell Script for System Monitoring
  Description: A PowerShell script running powershell.exe to monitor system performance or