The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of advanced persistent threat techniques to exfiltrate data or establish persistence within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by sophisticated adversaries leveraging known malware artifacts.
YARA Rule
rule EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0 {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
super_rule = 1
hash1 = "052e778c26120c683ee2d9f93677d9217e9d6c61ffc0ab19202314ab865e3927"
hash2 = "5db457e7c7dba80383b1df0c86e94dc6859d45e1d188c576f2ba5edee139d9ae"
strings:
$x1 = "DFReader.exe logfile AESKey [-j] [-o outputfilename]" fullword ascii
$x2 = "Double Feature Target Version" fullword ascii
$x3 = "DoubleFeature Process ID" fullword ascii
$op1 = { a1 30 21 41 00 89 85 d8 fc ff ff a1 34 21 41 00 }
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 1 of them ) or ( 2 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate System Update via Windows Server Update Services (WSUS)
Description: A Windows server receives a legitimate system update from WSUS, which includes files or registry changes that match the EquationGroup tool’s signature.
Filter/Exclusion: Check the source IP or server name against known WSUS servers, and filter by file paths common to Windows updates (e.g., C:\Windows\Temp\ or C:\Windows\SoftwareDistribution\).
Scenario: Scheduled Job for Log File Rotation
Description: A scheduled task runs to rotate and compress log files, which may involve file creation or modification in directories that resemble EquationGroup activity.
Filter/Exclusion: Filter by process name (e.g., logrotate.exe, gzip.exe) or check the command line arguments for log rotation tasks.
Scenario: Admin Task – Group Policy Object (GPO) Deployment
Description: An administrator deploys a Group Policy Object that modifies registry keys or files, which may trigger the detection due to similar file or registry changes.
Filter/Exclusion: Check the process origin (e.g., gpupdate.exe, gpmc.msc) and verify if the change is part of a known GPO deployment.
Scenario: Antivirus Quarantine Process
Description: An antivirus tool quarantines a file that matches the EquationGroup signature, leading to false positive detection.
Filter/Exclusion: Filter by process name (e.g., avgquarantine.exe, mcafee.exe) or check the file’s status in the antivirus quarantine database.
Scenario: System File Check (sfc /scannow)
Description: A system file check initiated by an administrator may result in temporary file creation or registry changes that match the EquationGroup detection logic.
**Filter/Exclusion