Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_Dsz_Implant {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "fbe103fac45abe4e3638055a3cac5e7009166f626cf2d3049fb46f3b53c1057f"
      hash2 = "ad1dddd11b664b7c3ad6108178a8dade0a6d9795358c4a7cedbe789c62016670"
   strings:
      $s1 = "%02u:%02u:%02u.%03u-%4u: " fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that uses certutil or powershell to query certificate stores, which may resemble the EquationGroup tool’s behavior.
  Filter/Exclusion: Exclude processes associated with Task Scheduler or schtasks.exe with known maintenance scripts.

• Scenario: Windows Update or Patching Process
  Description: Windows Update may execute scripts or use certutil to verify certificate chains during patching, triggering the detection rule.
  Filter/Exclusion: Exclude processes initiated by wuauclt.exe or svchost.exe related to Windows Update.

• Scenario: Admin Performing Certificate Management
  Description: An administrator manually manages certificates using certutil or PowerShell, which may match the detection logic for EquationGroup activity.
  Filter/Exclusion: Exclude processes with certutil or PowerShell.exe where the command line includes certificate management commands (e.g., certutil -viewstore -user).

• Scenario: Logon Script Execution
  Description: A logon script may use certutil or powershell to perform user-specific certificate checks, which could be flagged by the rule.
  Filter/Exclusion: Exclude processes initiated by logonui.exe or runonce.exe with known logon scripts.

• Scenario: Third-Party Security Tool Integration
  Description: A third-party security tool or EDR solution may use certutil or similar commands to validate signatures or certificates during integration.
  Filter/Exclusion: Exclude processes from known security vendors (e.g., CrowdStrike, SentinelOne, etc.) or those with certutil commands used for signature validation.