Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of sophisticated, legacy malware that may persist undetected in network environments. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that could evade traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_Educatedscholar_1_0_0 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "4cce9e39c376f67c16df3bcd69efd9b7472c3b478e2e5ef347e1410f1105c38d"
   strings:
      $x1 = "[+] Shellcode Callback %s:%d" fullword ascii
      $x2 = "[+] Exploiting Target" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 150KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Legitimate System Update via Windows Update
  Description: A system update from Microsoft’s Windows Update service may trigger the rule due to similar file names or behaviors.
  Filter/Exclusion: Check for the presence of WindowsUpdate in the process name or filter by EventID 6008 (which is associated with system shutdowns, not updates).

• Scenario: Scheduled Job Running PowerShell Script for Compliance
  Description: A scheduled task using PowerShell to perform compliance checks or system audits may be flagged due to script execution patterns similar to the EquationGroup tool.
  Filter/Exclusion: Filter by ProcessName = powershell.exe and check for CommandLine containing compliance, audit, or report.

• Scenario: Admin Performing Disk Cleanup or File Integrity Check
  Description: An administrator using tools like DISM or CheckDisk may trigger the rule due to file system activity.
  Filter/Exclusion: Filter by ProcessName = DISM.exe or ProcessName = chkdsk.exe and exclude activity not related to scheduled maintenance tasks.

• Scenario: Legitimate Use of Mimikatz for Credential Harvesting (for Security Testing)
  Description: Security teams may use Mimikatz in a controlled environment to test for credential vulnerabilities.
  Filter/Exclusion: Check for the presence of Mimikatz in the command line or filter by ProcessName = mimikatz.exe and ensure it’s only running during authorized security testing.

• Scenario: Antivirus or EDR Tool Performing File Scanning
  Description: Antivirus or EDR tools like Microsoft Defender, CrowdStrike, or SentinelOne may trigger the rule due to their file scanning behavior.
  Filter/Exclusion: Filter by ProcessName containing `mpengine