Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_Easybee_1_0_1 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "59c17d6cb564edd32c770cd56b5026e4797cf9169ff549735021053268b31611"
   strings:
      $x1 = "@@for /f \"delims=\" %%i in ('findstr /smc:\"%s\" *.msg') do if not \"%%MsgFile1%%\"==\"%%i\" del /f \"%%i\"" fullword ascii
      $x2 = "Logging out of WebAdmin (as target account)" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup job, may trigger the rule due to similar process names or behavior.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe with known maintenance job names (e.g., Cleanup-System-Logs or Disk-Defrag-Task).

• Scenario: Windows Update or Patching Process
  Description: The wuauclt.exe process, used by Windows Update, may be flagged due to its network activity or process tree similarities to malicious behavior.
  Filter/Exclusion: Exclude processes with the full path C:\Windows\System32\wuauclt.exe or those running under the NT SERVICE\wuauserv account.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate antivirus tool like mpsvc.exe (from Microsoft Defender) or avgnt.exe may trigger the rule due to similar network behavior or process execution patterns.
  Filter/Exclusion: Exclude processes associated with known security tools (e.g., mpsvc.exe, avgnt.exe, mcafee.exe) or those running under the LocalSystem account.

• Scenario: Database Backup Job Execution
  Description: A scheduled SQL Server backup job using sqlservr.exe or sqlbackup.exe may trigger the rule due to process execution or network activity.
  Filter/Exclusion: Exclude processes initiated by SQL Server Agent jobs or those with specific command-line arguments related to backups (e.g., -Backup or -JobName).

• Scenario: PowerShell Script for System Monitoring
  Description: A legitimate PowerShell script (e.g., powershell.exe) used for system monitoring or log analysis may trigger the rule