Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-lived, sophisticated threats that may have evaded traditional detection mechanisms.

YARA Rule

rule EquationGroup_Toolset_Apr17_Eclipsedwing_Rpcproxy_Pcdlllauncher {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "48251fb89c510fb3efa14c4b5b546fbde918ed8bb25f041a801e3874bd4f60f8"
      hash2 = "237c22f4d43fdacfcbd6e1b5f1c71578279b7b06ea8e512b4b6b50f10e8ccf10"
      hash3 = "79a584c127ac6a5e96f02a9c5288043ceb7445de2840b608fc99b55cf86507ed"
   strings:
      $x1 = "[-] Failed to Prepare Payload!" fullword ascii
      $x2 = "ShellcodeStartOffset" fullword ascii
      $x3 = "[*] Waiting for AuthCode from exploit" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Legitimate System Update via Windows Update
  Description: A Windows update process may trigger the same network activity as the EquationGroup tool due to similar C2 communication patterns.
  Filter/Exclusion: process.name != "wuauclt.exe" or process.name != "svchost.exe"

• Scenario: Scheduled Job Running PowerShell Script for System Maintenance
  Description: A scheduled task using PowerShell to perform system cleanup or patching may exhibit similar behavior to the EquationGroup tool.
  Filter/Exclusion: process.name != "powershell.exe" or process.args != "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"

• Scenario: Admin Task Using Mimikatz for Credential Harvesting (Legitimate Security Audit)
  Description: Security administrators may use Mimikatz in a controlled environment for credential auditing, which could match the behavior of the EquationGroup tool.
  Filter/Exclusion: process.name != "mimikatz.exe" or process.user != "Administrators"

• Scenario: Network Monitoring Tool Performing Traffic Analysis
  Description: Tools like Wireshark or Microsoft Message Analyzer may generate network traffic similar to C2 activity, especially during packet capture or analysis.
  Filter/Exclusion: process.name != "Wireshark.exe" or process.name != "mstsc.exe"

• Scenario: Legitimate Remote Desktop Session with Encrypted Traffic
  Description: A Remote Desktop Protocol (RDP) session with encryption may trigger alerts due to similar encrypted traffic patterns as the EquationGroup tool.
  Filter/Exclusion: process.name != "mstsc.exe" or process.args != "/admin"