Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of a sophisticated, previously disclosed malware toolkit, which may be leveraged for persistent, stealthy network infiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term threats that may have already established a foothold in the environment.

YARA Rule

rule EquationGroup_Toolset_Apr17_drivers_Implant {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "ee8b048f1c6ba821d92c15d614c2d937c32aeda7b7ea0943fd4f640b57b1c1ab"
   strings:
      $s1 = ".?AVFeFinallyFailure@@" fullword ascii
      $s2 = "hZwLoadDriver" fullword ascii

      $op1 = { b0 01 e8 58 04 00 00 c3 33 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 30KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled system maintenance using Task Scheduler
  Filter/Exclusion: Check for CommandLine containing schtasks.exe or Task Scheduler and exclude processes with Task Scheduler in the parent process name.

• Scenario: Regular use of PowerShell for administrative tasks such as user management or group policy updates
  Filter/Exclusion: Filter out PowerShell scripts that are known to be used for legitimate administration (e.g., Add-User, Set-ADUser) or exclude processes with powershell.exe and a parent process of explorer.exe or services.exe.

• Scenario: Deployment of Windows Update or Group Policy via Group Policy Object (GPO)
  Filter/Exclusion: Exclude processes with gpupdate.exe or wuauclt.exe in the command line, or filter based on the presence of Group Policy in the process description.

• Scenario: Use of Windows Defender or Microsoft Defender ATP for malware scanning
  Filter/Exclusion: Exclude processes with MsMpEng.exe or Windows Defender in the process name, or filter based on the presence of Microsoft Defender in the command line.

• Scenario: Execution of Windows PowerShell scripts for automation tasks such as log rotation or backup jobs
  Filter/Exclusion: Exclude processes where the command line includes known backup or log management tools (e.g., logrotate.exe, backup.exe) or filter based on the presence of PS1 or PS in the command line.