Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of advanced persistent threat techniques to exfiltrate data or establish persistence within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by sophisticated adversaries leveraging known malware artifacts.

YARA Rule

rule EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_2 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "f265defd87094c95c7d3ddf009d115207cd9d4007cf98629e814eda8798906af"
      hash2 = "8d62ca9e6d89f2b835d07deb5e684a576607e4fe3740f77c0570d7b16ebc2985"
      hash3 = "634a80e37e4b32706ad1ea4a2ff414473618a8c42a369880db7cc127c0eb705e"
   strings:
      $s1 = ".dllfD" fullword ascii
      $s2 = "Khsppxu" fullword ascii
      $s3 = "D$8.exe" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup job, may trigger the rule due to similar command-line arguments or file names.
  Filter/Exclusion: Check for ProcessName = "schtasks.exe" and CommandLine LIKE '%/XML%' or CommandLine LIKE '%/RU%'.

• Scenario: Microsoft EquationGroup Tool (Legacy Tool)
  Description: The EquationGroup tool, which is part of the EquationGroup malware family, may be mistakenly flagged if it’s being used in a red team exercise or by a security team for testing.
  Filter/Exclusion: Check for ProcessName = "eqgtool.exe" or FileVersionInfo = "EquationGroup Tool" to distinguish from malicious activity.

• Scenario: Admin Task Using PowerShell for Log Analysis
  Description: An administrator using PowerShell (powershell.exe) to analyze logs or perform forensic analysis may trigger the rule due to similar command patterns.
  Filter/Exclusion: Check for ProcessName = "powershell.exe" and CommandLine LIKE '%-Command%' or CommandLine LIKE '%Get-EventLog%'.

• Scenario: Legitimate File Extraction via PowerShell
  Description: A PowerShell script used to extract files from a compressed archive (e.g., Expand-Archive or tar.exe) may trigger the rule due to similar process behavior.
  Filter/Exclusion: Check for CommandLine LIKE '%Expand-Archive%' or CommandLine LIKE '%tar.exe -xvf%'.

• Scenario: Windows Update or Patching Job
  Description: A Windows Update or patching job using wusa.exe or dism.exe may trigger the rule due to similar process execution patterns.
  Filter/Exclusion: Check for `ProcessName =