Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-lived, stealthy threats that may have evaded traditional detection mechanisms.

YARA Rule

rule EquationGroup_Toolset_Apr17_Educatedscholartouch_1_0_0 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "f4b958a0d3bb52cb34f18ea293d43fa301ceadb4a259d3503db912d0a9a1e4d8"
   strings:
      $x1 = "[!] A vulnerable target will not respond." fullword ascii
      $x2 = "[-] Target NOT Vulernable" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 30KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup job, may trigger the rule due to similar command-line arguments or file names.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe with known maintenance job names (e.g., Cleanup-System-Resources).

• Scenario: Admin PowerShell Script Execution
  Description: An administrator may run a PowerShell script using powershell.exe that includes similar command patterns to the EquationGroup tool, such as Invoke-Command or Start-Process.
  Filter/Exclusion: Exclude processes where the command line includes -Command or -File with known admin scripts (e.g., C:\Windows\System32\scripts\maintenance.ps1).

• Scenario: Windows Update or Patching Job
  Description: A Windows Update or patching job using wusa.exe or dism.exe may generate similar network activity or file access patterns.
  Filter/Exclusion: Exclude processes associated with wusa.exe or dism.exe during scheduled update windows.

• Scenario: Log Management Tool Configuration
  Description: A log management tool like Splunk or ELK Stack may execute scripts or binaries that resemble EquationGroup behavior when configuring data ingestion.
  Filter/Exclusion: Exclude processes initiated by splunk.exe, logstash.exe, or kibana.exe with known configuration tasks.

• Scenario: Antivirus or EDR Agent Activity
  Description: Antivirus or EDR agents (e.g., Microsoft Defender, CrowdStrike, SentinelOne) may perform similar actions to the EquationGroup tool, such as file scanning or process monitoring.
  Filter/Exclusion: Exclude processes associated with