The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that may have evaded traditional detection methods.
YARA Rule
rule EquationGroup_Toolset_Apr17_DllLoad_Target {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "a42d5201af655e43cefef30d7511697e6faa2469dc4a74bc10aa060b522a1cf5"
strings:
$s1 = "BzWKJD+" fullword ascii
$op1 = { 44 24 6c 6c 88 5c 24 6d }
$op2 = { 44 24 54 63 c6 44 24 55 74 c6 44 24 56 69 }
$op3 = { 44 24 5c 6c c6 44 24 5d 65 c6 44 24 5e }
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled system maintenance or patching using PowerShell scripts
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%-Command%'
Scenario: Legitimate use of Windows Task Scheduler to run administrative tasks
Filter/Exclusion: process.name != "schtasks.exe" OR process.args NOT LIKE '%/create%'
Scenario: Use of Windows Management Instrumentation (WMI) for system monitoring
Filter/Exclusion: process.name != "wmic.exe" OR process.args NOT LIKE '%query%'
Scenario: Execution of Microsoft System Center Configuration Manager (SCCM) tasks
Filter/Exclusion: process.name != "ccmexec.exe" OR process.args NOT LIKE '%sccm%'
Scenario: Running Windows Event Log analysis tools like Event Viewer or LogParser
Filter/Exclusion: process.name != "eventvwr.exe" OR process.name != "logparser.exe"