Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of the EquationGroup tool, specifically the April Leak variant, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by sophisticated adversaries leveraging known malware artifacts.

YARA Rule

rule EquationGroup_Toolset_Apr17_Architouch_1_0_0 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "444979a2387530c8fbbc5ddb075b15d6a4717c3435859955f37ebc0f40a4addc"
   strings:
      $s1 = "[+] Target is %s" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 300KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
  Filter/Exclusion: Check for process.parent.name == "schtasks.exe" and process.name == "cmd.exe" with a known benign command line.

• Scenario: Microsoft Equation Group Tool (Legacy Tool)
  Description: The actual EquationGroup tool (e.g., eqg.exe) is used for legitimate purposes in some enterprise environments for legacy system management.
  Filter/Exclusion: Check for process.name == "eqg.exe" and verify if it’s running from a known trusted location (e.g., C:\Windows\System32\).

• Scenario: PowerShell Script for Log Analysis
  Description: A PowerShell script (powershell.exe) is used by the security team to analyze logs or perform forensic analysis, which may include parsing similar data to the EquationGroup tool.
  Filter/Exclusion: Filter by process.name == "powershell.exe" and check for a known internal script path or command line arguments like -File "C:\Tools\log_analyzer.ps1".

• Scenario: Admin Task Using Windows Task Scheduler
  Description: An admin task using schtasks.exe to run a script or executable that performs system diagnostics or configuration changes.
  Filter/Exclusion: Check for process.parent.name == "schtasks.exe" and process.name == "cmd.exe" with a command line containing a known internal script or tool.

• Scenario: Antivirus or EDR Tool Scanning
  Description: A legitimate antivirus or EDR tool (e.g., msmpeng.exe, mpsvc.exe, or mfev.exe) may trigger similar behavior during a scan or file