Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary use of a sophisticated, previously disclosed malware toolkit, which may be used for data exfiltration or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term threats from advanced adversaries leveraging known but previously leaked tools.

YARA Rule

rule EquationGroup_Toolset_Apr17_DiBa_Target_BH_2000 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "0654b4b8727488769390cd091029f08245d690dd90d1120e8feec336d1f9e788"
   strings:
      $s2 = "0M1U1Z1p1" fullword ascii /* base64 encoded string '3U5gZu' */
      $s14 = "SPRQWV" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that uses certutil or PowerShell to execute a command that matches the detection logic.
  Filter/Exclusion: Exclude processes associated with Task Scheduler or use a filter like process.parent_process_name == "schtasks.exe".

• Scenario: Windows Update or Patching Process
  Description: The Windows Update agent (wuauclt.exe) or patching tools may execute commands that resemble EquationGroup activity.
  Filter/Exclusion: Exclude processes with process.name == "wuauclt.exe" or use a filter based on the parent_process_name being svchost.exe or taskeng.exe.

• Scenario: Admin PowerShell Script Execution
  Description: A system administrator runs a PowerShell script using certutil or PowerShell to perform certificate management or system diagnostics.
  Filter/Exclusion: Exclude processes where process.name == "powershell.exe" and the command line includes certutil or Get-ChildItem with known admin paths.

• Scenario: Backup or Sync Tool Activity
  Description: A backup tool like Veeam, Acronis, or rsync may execute commands that resemble EquationGroup behavior during data transfer or synchronization.
  Filter/Exclusion: Exclude processes with process.name == "veeam.exe", "acronis.exe", or "rsync.exe" and use a filter based on the command line arguments.

• Scenario: Network Discovery or Inventory Tool
  Description: Tools like Nmap, Masscan, or SolarWinds may execute commands that resemble EquationGroup activity during network scanning or asset discovery.
  Filter/Exclusion: Exclude processes with `process.name == “nmap