Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-lived, stealthy threats that may have evaded traditional detection mechanisms.

YARA Rule

rule EquationGroup_Toolset_Apr17_Eclipsedwingtouch_1_0_4 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "46da99d80fc3eae5d1d5ab2da02ed7e61416e1eafeb23f37b180c46e9eff8a1c"
   strings:
      $x1 = "[-] The target is NOT vulnerable" fullword ascii
      $x2 = "[+] The target IS VULNERABLE" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 50KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system caches.
  Filter/Exclusion: Exclude processes where ImageLoaded contains schtasks.exe and CommandLine includes /create or /run with a known maintenance task name.

• Scenario: Windows Update or Patching Process
  Description: The Windows Update service or wusa.exe running to install patches or updates, which may trigger similar behavior to the EquationGroup tool.
  Filter/Exclusion: Exclude processes where ImageLoaded is wusa.exe or svchost.exe and CommandLine includes --update or --install.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate security tool like Windows Defender or McAfee performing a full system scan, which may exhibit similar network or file system activity.
  Filter/Exclusion: Exclude processes where ImageLoaded is MsMpEng.exe or mfev.exe and CommandLine includes Scan or FullScan.

• Scenario: Database Backup Job
  Description: A scheduled SQL Server backup job using sqlbackup.exe or sqlcmd.exe that may interact with the file system or network in a manner resembling malicious activity.
  Filter/Exclusion: Exclude processes where ImageLoaded is sqlbackup.exe or sqlcmd.exe and CommandLine includes BACKUP DATABASE or BACKUP LOG.

• Scenario: Log File Rotation or Archive Task
  Description: A legitimate log rotation or archive task using tools like logrotate (Linux) or Robocopy (Windows) that may trigger similar file system activity.
  *