Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of sophisticated malware associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by threat actors leveraging known malicious tooling.

YARA Rule

rule EquationGroup_Toolset_Apr17_DS_ParseLogs {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "0228691d63038b072cdbf50782990d505507757efbfa87655bb2182cf6375956"
   strings:
      $x1 = "* Size (%d) of remaining capture file is too small to contain a valid header" fullword wide
      $x2 = "* Capture header not found at start of buffer" fullword wide
      $x3 = "Usage: %ws <capture_file> <results_prefix>" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task running schtasks.exe or task scheduler to perform system maintenance or updates.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or Task Scheduler and exclude processes with CommandLine containing /create or /run.

• Scenario: PowerShell Script Execution for Patch Management
  Description: A PowerShell script (powershell.exe) is used to apply patches or updates, which may include commands similar to those used by the EquationGroup tool.
  Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for CommandLine containing Update-Module, Install-Module, or Invoke-Command with known patching tools.

• Scenario: Admin Task Using msiexec.exe for Software Deployment
  Description: An administrator is deploying software using msiexec.exe, which may trigger the same network or file activity as the EquationGroup tool.
  Filter/Exclusion: Exclude processes with ProcessName msiexec.exe and filter by CommandLine containing /i (install) or /u (uninstall) with known enterprise software packages.

• Scenario: Log File Analysis Using logparser.exe
  Description: A security analyst is using logparser.exe to analyze system logs, which may involve parsing files or querying data in a manner similar to the EquationGroup tool.
  Filter/Exclusion: Exclude processes with ProcessName logparser.exe and check for CommandLine containing eventlog or sql as part of log analysis.

• Scenario: Network Monitoring Tool Using tcpview.exe or Wireshark
  Description: A network monitoring tool like tcpview.exe or `