The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-standing threats that may have evaded traditional detection methods.
YARA Rule
rule EquationGroup_Toolset_Apr17__ecwi_ESKE_EVFR_RPC2_2 {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
super_rule = 1
hash1 = "c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd"
hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674"
hash4 = "5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337"
strings:
$s1 = "Target is share name" fullword ascii
$s2 = "Could not make UdpNetbios header -- bailing" fullword ascii
$s3 = "Request non-NT session key" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate system update using msiexec.exe
Filter/Exclusion: Check for msiexec.exe with command-line arguments containing "update" or "patch" and ensure the file path is within a known update directory (e.g., C:\Windows\Temp\ or C:\Program Files\Microsoft\Windows\).
Scenario: Scheduled backup job using vssadmin.exe
Filter/Exclusion: Filter events where vssadmin.exe is executed with arguments related to backup operations (e.g., "Create Shadow") and ensure the process is initiated by a known backup service account or scheduled task.
Scenario: Administrative task using taskkill.exe to terminate a process
Filter/Exclusion: Exclude instances where taskkill.exe is used with a valid process ID (PID) and is initiated by a user with administrative privileges (e.g., Administrators group or SYSTEM).
Scenario: Legitimate use of reg.exe for registry configuration changes
Filter/Exclusion: Filter events where reg.exe is used with known legitimate registry keys (e.g., HKLM\Software\Microsoft\Windows\CurrentVersion\Run) and the command is part of a documented configuration change.
Scenario: Use of certutil.exe for certificate management
Filter/Exclusion: Exclude certutil.exe commands that are part of certificate installation or renewal processes, especially when executed by a trusted certificate authority or enterprise management tool (e.g., Microsoft Management Console or Group Policy).