Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term persistence threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_DiBa_Target_2000 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "f9ea8ff5985b94f635d03f3aab9ad4fb4e8c2ad931137dba4f8ee8a809421b91"
   strings:
      $s1 = "0M1U1Z1p1" fullword ascii

      $op1 = { f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 }
      $op2 = { 36 c6 45 e6 34 c6 45 e7 50 c6 45 e8 72 c6 45 e9 }
      $op3 = { c6 45 e8 65 c6 45 e9 70 c6 45 ea 74 c6 45 eb 5f }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 1000KB and 3 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Legitimate Windows Update Process
  Description: The EquationGroup Tool - April Leak detection rule may falsely trigger during a Windows Update process, as it involves downloading and executing files from external sources.
  Filter/Exclusion: Exclude processes related to wuauclt.exe or svchost.exe with parent process services.exe and file paths containing WindowsUpdate.

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task, such as a disk cleanup or system scan, may trigger the rule due to similar file execution patterns.
  Filter/Exclusion: Exclude tasks with Task Scheduler as the parent process and file paths containing cleanmgr.exe, msconfig.exe, or sfc.exe.

• Scenario: Admin Performing File Integrity Check
  Description: An administrator using tools like Process Monitor or Process Explorer to inspect system files may trigger the rule due to file access patterns.
  Filter/Exclusion: Exclude processes with procmon.exe or procexp.exe and file paths containing ProcessMonitor or ProcessExplorer.

• Scenario: Legitimate Software Deployment via SCCM
  Description: Software deployment via Microsoft System Center Configuration Manager (SCCM) may involve downloading and executing payloads, which could trigger the rule.
  Filter/Exclusion: Exclude processes with parent process ccmexec.exe or ccmsetup.exe and file paths containing SCCM or SoftwareDistribution.

• Scenario: User Running Malware Analysis Tools
  Description: A user running malware analysis tools like IDA Pro, Ghidra, or Cuckoo Sandbox may trigger the rule due to file execution and network activity.
  Filter/Exclusion: Exclude processes with idaq.exe, ghidra.jar, or `cuckoo