Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of a sophisticated malware variant associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by threat actors leveraging known malicious tooling.

YARA Rule

rule EquationGroup_Toolset_Apr17_DiBa_Target_BH {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "7ae9a247b60dc31f424e8a7a3b3f1749ba792ff1f4ba67ac65336220021fce9f"
   strings:
      $op0 = { 44 89 20 e9 40 ff ff ff 8b c2 48 8b 5c 24 60 48 }
      $op1 = { 45 33 c9 49 8d 7f 2c 41 ba }
      $op2 = { 89 44 24 34 eb 17 4c 8d 44 24 28 8b 54 24 30 48 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that mimics the behavior of the EquationGroup tool, such as copying files or interacting with registry keys.
  Filter/Exclusion: process.name != "schtasks.exe" or check for process.parent.name == "task scheduler" and exclude known maintenance scripts.

• Scenario: Admin Performing File Integrity Check
  Description: An administrator uses a tool like Sysinternals Process Explorer or Microsoft System File Checker (sfc.exe) to inspect files, which may trigger file access patterns similar to EquationGroup.
  Filter/Exclusion: process.name != "sfc.exe" or process.name != "process.explorer.exe" and check for administrative context with user.name == "admin".

• Scenario: Automated Backup Job Using Robocopy
  Description: A backup job using Robocopy or rsync copies files across the network, which may resemble the data exfiltration or file transfer behavior of EquationGroup.
  Filter/Exclusion: process.name != "robocopy.exe" or process.name != "rsync.exe" and verify the presence of a known backup service or scheduled task.

• Scenario: PowerShell Script for Log Analysis
  Description: A PowerShell script used for log analysis or system monitoring (e.g., PowerShell ISE, PowerShell Universal) may perform file operations or network requests that match the detection logic.
  Filter/Exclusion: process.name != "powershell.exe" or check for script paths in known security tools directories (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\).

• Scenario: Malware Analysis Lab Environment
  Description: In a malware analysis lab, a researcher may use tools like **Cuck