The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of a sophisticated, legacy malware family that may be used for long-term persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threats that may have evaded traditional detection methods.
YARA Rule
rule EquationGroup_Toolset_Apr17_AdUser_Implant {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "fd2efb226969bc82e2e38769a10a8a751138db69f4594a8de4b3c0522d4d885f"
strings:
$s1 = ".?AVFeFinallyFailure@@" fullword ascii
$s2 = "(&(objectCategory=person)(objectClass=user)(cn=" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 40KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Legitimate system update using msiexec.exe
Filter/Exclusion: process.name == "msiexec.exe" && process.args contains "update"
Scenario: Scheduled backup job using vssadmin.exe
Filter/Exclusion: process.name == "vssadmin.exe" && process.args contains "backup"
Scenario: Admin task using taskkill.exe to terminate a non-malicious process
Filter/Exclusion: process.name == "taskkill.exe" && process.args contains "/F /PID"
Scenario: PowerShell script running a legitimate configuration task using powershell.exe
Filter/Exclusion: process.name == "powershell.exe" && process.args contains "Configure-System.ps1"
Scenario: Antivirus scan using msmpeng.exe (Microsoft Antivirus engine)
Filter/Exclusion: process.name == "msmpeng.exe" && process.args contains "Scan"