The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary use of a sophisticated malware variant associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by threat actors leveraging known malicious tooling.
YARA Rule
rule EquationGroup_Toolset_Apr17_Architouch_Eternalsynergy_Smbtouch {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
super_rule = 1
hash1 = "444979a2387530c8fbbc5ddb075b15d6a4717c3435859955f37ebc0f40a4addc"
hash2 = "92c6a9e648bfd98bbceea3813ce96c6861487826d6b2c3d462debae73ed25b34"
hash3 = "108243f61c53f00f8f1adcf67c387a8833f1a2149f063dd9ef29205c90a3c30a"
strings:
$s1 = "NtErrorMoreProcessingRequired" fullword ascii
$s2 = "Command Format Error: Error=%x" fullword ascii
$s3 = "NtErrorPasswordRestriction" fullword ascii
$op0 = { 8a 85 58 ff ff ff 88 43 4d }
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and 2 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup job, may trigger the rule due to similar process names or command-line arguments.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known maintenance command-line arguments (e.g., /create, /run, /delete).
Scenario: Microsoft Equation Editor Usage
Description: The EquationGroup tool may be confused with the legacy Microsoft Equation Editor (eqnedit.exe), which is occasionally used in enterprise environments for document formatting.
Filter/Exclusion: Exclude processes with the full path C:\Windows\System32\eqnedit.exe or any process with the name eqnedit.exe that is not associated with the EquationGroup tool.
Scenario: Admin Task Using PowerShell for Log Analysis
Description: A system administrator may use PowerShell scripts (e.g., powershell.exe) to analyze logs or perform forensic tasks, which could trigger the rule due to similar command-line behavior.
Filter/Exclusion: Exclude processes where the command-line includes -Command or -File with known admin scripts (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "Get-EventLog").
Scenario: Antivirus or EDR Tool Scanning
Description: Antivirus or EDR tools (e.g., msmpeng.exe from Windows Defender, or mcafee.exe) may trigger the rule during a scan due to similar process names or behavior.
Filter/Exclusion: Exclude processes with known EDR/AV tool names (e.g., msmpeng.exe, mcafee.exe, avgnt.exe) or those running under the LocalSystem account.