The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of advanced persistent threat techniques to exfiltrate data or establish persistence within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage advanced threats that may evade traditional detection methods.
YARA Rule
rule EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4 {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
super_rule = 1
hash1 = "3e181ca31f1f75a6244b8e72afaa630171f182fbe907df4f8b656cc4a31602f6"
hash2 = "c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd"
hash3 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
hash4 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674"
hash5 = "5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337"
strings:
$x1 = "* Listening Post DLL %s() returned error code %d." fullword ascii
$s1 = "WsaErrorTooManyProcesses" fullword ascii
$s2 = "NtErrorMoreProcessingRequired" fullword ascii
$s3 = "Connection closed by remote host (TCP Ack/Fin)" fullword ascii
$s4 = "ServerErrorBadNamePassword" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and all of ($s*) or 1 of ($x*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
Filter/Exclusion: Check for CommandLine containing schtasks.exe or cleanmgr.exe and exclude processes with known maintenance command-line arguments.
Scenario: Microsoft Equation Group Tool (Legitimate)
Description: The actual EquationGroup tool used by Microsoft for internal purposes, which may be present in some enterprise environments.
Filter/Exclusion: Check for ProcessName matching equationgroup.exe or ms-equationgroup.exe and verify against known Microsoft-signed binaries.
Scenario: Admin PowerShell Script Execution
Description: A PowerShell script executed by an administrator to perform system diagnostics or configuration changes, which may include similar command-line patterns.
Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for CommandLine containing -Command or -File with known admin scripts.
Scenario: Antivirus or EDR Scan
Description: A legitimate security tool, such as Microsoft Defender or CrowdStrike Falcon, performing a scan that may trigger similar behavior.
Filter/Exclusion: Check for ProcessName matching MsMpEng.exe, Falcon.exe, or mpsvc.exe and exclude processes associated with known security tools.
Scenario: Database Backup Job
Description: A database backup job using tools like sqlbackup.exe or mysqldump.exe that may exhibit similar network or file system activity.
Filter/Exclusion: Filter by ProcessName containing sqlbackup.exe, mysqldump.exe, or pg_dump.exe and verify against known backup command-line arguments.