Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary activity leveraging a known malware tool associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated adversaries using legacy malware.

YARA Rule

rule EquationGroup_Toolset_Apr17_DUMPEL {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "bf42532be2d36f522dca7d3d3eb40b1d25c33d508a5a37c7e28f148945136dc6"
   strings:
      $x1 = "dumpel -f file [-s \\\\server]" fullword ascii
      $x2 = "records will not appear in the dumped log." fullword ascii
      $x3 = "obj\\i386\\Dumpel.exe" fullword ascii
      $s13 = "DUMPEL Usage:    " fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task running a script or tool like schtasks.exe or task scheduler that performs routine maintenance (e.g., log cleanup, disk defragmentation).
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or taskhost.exe, and filter out tasks with known maintenance scripts or paths like C:\Windows\System32\sched\ or C:\Windows\tasks\.

• Scenario: Admin Using EquationGroup Tools for Forensic Analysis
  Description: A security or incident response team member is using actual EquationGroup tools (e.g., eqgtool, eqgdecrypt) for forensic analysis or malware research.
  Filter/Exclusion: Check for User field matching known SOC or IR team members, or CommandLine containing keywords like --forensic, --analysis, or --debug.

• Scenario: Legitimate Software Update or Patch Deployment
  Description: A system administrator is deploying a legitimate software update or patch using tools like Windows Update, WSUS, or Group Policy.
  Filter/Exclusion: Filter by ProcessName such as wuauclt.exe, msiexec.exe, or gpupdate.exe, and exclude processes with paths related to Microsoft Update or enterprise patch management servers.

• Scenario: PowerShell Script for Configuration Management
  Description: A PowerShell script (e.g., powershell.exe) is used to configure system settings, manage services, or deploy configurations, which may resemble malicious activity.
  Filter/Exclusion: Filter by CommandLine containing --config, --deploy, or --setup, and check for User matching authorized admin accounts. Exclude scripts with known legitimate paths like `C:\Windows\System32\Windows