Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-lived, stealthy threats that may have evaded traditional detection mechanisms.

YARA Rule

rule EquationGroup_Toolset_Apr17_Banner_Implant9x {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "5d69a8cfc9b636448f023fcf18d111f13a8e6bcb9a693eb96276e0d796ab4e0c"
   strings:
      $s1 = ".?AVFeFinallyFailure@@" fullword ascii

      $op1 = { c9 c3 57 8d 85 2c eb ff ff }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 20KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup job, may trigger the rule due to similar command-line arguments or process names.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or Task Scheduler in the event log, and exclude tasks with known maintenance names (e.g., Cleanup-System-Files).

• Scenario: Administrative PowerShell Script Execution
  Description: A trusted administrative PowerShell script (e.g., Invoke-Command or Start-Job) may be flagged due to similar command patterns used in the EquationGroup tool.
  Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for CommandLine containing Invoke-Command or Start-Job, and exclude known internal scripts.

• Scenario: Windows Update or Patching Job
  Description: A Windows Update or patching job (e.g., wusa.exe or dism.exe) may trigger the rule due to similar process behavior or command-line arguments.
  Filter/Exclusion: Filter by ProcessName containing wusa.exe or dism.exe, and exclude processes initiated by the Windows Update service (svchost.exe -s WuAuSVC).

• Scenario: Legitimate Network Monitoring Tool Execution
  Description: A network monitoring tool such as Wireshark or tcpdump may be flagged due to similar process behavior or command-line arguments.
  Filter/Exclusion: Filter by ProcessName containing wireshark.exe or tcpdump.exe, and exclude processes running in a known monitoring or security context.

• Scenario: Database Backup Job Using SQL Server Agent
  Description: A SQL Server Agent job running a backup task