The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary activity leveraging a known malware variant associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise from sophisticated adversaries.
YARA Rule
rule EquationGroup_Toolset_Apr17_Easypi_Explodingcan {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "dc1ddad7e8801b5e37748ec40531a105ba359654ffe8bdb069bd29fb0b5afd94"
hash2 = "97af543cf1fb59d21ba5ec6cb2f88c8c79c835f19c8f659057d2f58c321a0ad4"
strings:
$x1 = "[-] %s - Target might not be in a usable state." fullword ascii
$x2 = "[*] Exploiting Target" fullword ascii
$x3 = "[-] Encoding Exploit Payload failed!" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
Filter/Exclusion: Exclude processes where ImageLoaded contains schtasks.exe and CommandLine includes /create or /run with a known maintenance task name.
Scenario: Admin Performing Disk Cleanup
Description: An administrator using cleanmgr.exe (Disk Cleanup) to remove temporary files or system cache.
Filter/Exclusion: Exclude processes where ImageLoaded is cleanmgr.exe and CommandLine includes /sagerun:1 or similar command-line switches used in scheduled tasks.
Scenario: Log File Rotation by Log Management Tool
Description: A log management tool like logrotate (on Linux) or Windows Event Log rotation process that temporarily creates or modifies log files.
Filter/Exclusion: Exclude processes where ImageLoaded is logrotate or wevtutil.exe and the file path matches known log directories (e.g., C:\Windows\System32\LogFiles\).
Scenario: Antivirus or Endpoint Protection Scan
Description: A legitimate antivirus tool like Windows Defender or McAfee performing a full system scan, which may temporarily access or modify files.
Filter/Exclusion: Exclude processes where ImageLoaded is MsMpEng.exe (Windows Defender) or mfev.exe (McAfee) and the file path is within known quarantine or scan directories.
Scenario: Database Backup Job Execution
Description: A database backup job using tools like sqlbackup.exe (SQL Server) or mysqldump that generates temporary files or interacts with system files.