Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of sophisticated, legacy malware associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term, stealthy threats that may have evaded traditional detection mechanisms.

YARA Rule

rule EquationGroup_Toolset_Apr17_Doublepulsar_1_3_1 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13"
   strings:
      $x1 = "[+] Ping returned Target architecture: %s - XOR Key: 0x%08X" fullword ascii
      $x2 = "[.] Sending shellcode to inject DLL" fullword ascii
      $x3 = "[-] Error setting ShellcodeFile name" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
  Filter/Exclusion: Exclude processes associated with schtasks.exe where the command line includes known maintenance scripts (e.g., cleanmgr.exe, diskcleanup.exe).

• Scenario: Admin Performing Disk Cleanup
  Description: An administrator using diskcleanup.exe to remove temporary files or system cache.
  Filter/Exclusion: Exclude processes where the command line includes diskcleanup.exe and the target path is a standard system directory (e.g., C:\Windows\Temp).

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate antivirus or endpoint protection tool (e.g., msseces.exe from Microsoft Defender) performing a full system scan.
  Filter/Exclusion: Exclude processes with the full path containing C:\Windows\System32\ and the process name matching known security tools.

• Scenario: PowerShell Script for Log Rotation
  Description: A PowerShell script (powershell.exe) used by the IT team to rotate or archive system logs.
  Filter/Exclusion: Exclude processes where the command line includes logrotate.ps1 or similar scripts, and the user is a known system admin account.

• Scenario: Software Update Deployment via SCCM
  Description: A Software Center or Configuration Manager (SCCM) task running to deploy updates, which may involve file copying or registry modifications.
  Filter/Exclusion: Exclude processes where the command line includes ccmexec.exe or smsts.exe, and the user is a domain admin or SCCM service account.