Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-standing threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_clocksvc {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "c1bcd04b41c6b574a5c9367b777efc8b95fe6cc4e526978b7e8e09214337fac1"
   strings:
      $x1 = "~debl00l.tmp" fullword ascii
      $x2 = "\\\\.\\mailslot\\c54321" fullword ascii
      $x3 = "\\\\.\\mailslot\\c12345" fullword ascii
      $x4 = "nowMutex" fullword ascii

      $s1 = "System\\CurrentControlSet\\Services\\MSExchangeIS\\ParametersPrivate" fullword ascii
      $s2 = "000000005017C31B7C7BCF97EC86019F5026BE85FD1FB192F6F4237B78DB12E7DFFB07748BFF6432B3870681D54BEF44077487044681FB94D17ED04217145B98" ascii
      $s3 = "00000000E2C9ADBD8F470C7320D28000353813757F58860E90207F8874D2EB49851D3D3115A210DA6475CCFC111DCC05E4910E50071975F61972DCE345E89D88" ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($x*) or 2 of ($s*) ) )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task using schtasks.exe or Task Scheduler is running a maintenance script that includes base64 encoded content or similar patterns.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or Task Scheduler, and exclude tasks with known maintenance scripts (e.g., WindowsUpdate or Defrag).

• Scenario: Admin Using PowerShell to Decode Data
  Description: A system administrator is using PowerShell to decode or encode data as part of a script, which may resemble the EquationGroup tool’s behavior.
  Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for script paths in known admin directories (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\).

• Scenario: Log File Parsing or Data Extraction Job
  Description: A job running via logparser.exe or another log analysis tool is processing log files and generating base64 output as part of data extraction.
  Filter/Exclusion: Filter by ProcessName containing logparser.exe or logman.exe, and exclude processes that are known to handle log files (e.g., Event Viewer or Splunk).

• Scenario: Antivirus or EDR Tool Scanning
  Description: An endpoint protection tool (e.g., Microsoft Defender, CrowdStrike, or Kaspersky) is scanning files and generating base64 output during analysis.
  Filter/Exclusion: Check for ProcessName containing mpcmdrun.exe, fsquirt.exe, or other known EDR/AV process names, and exclude processes with known security tool signatures.

• Scenario: Database Backup or Restore Operation
  *Description