The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that may have evaded traditional detection methods.
YARA Rule
rule EquationGroup_Toolset_Apr17__ELV_ESKE_13 {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
super_rule = 1
hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f"
hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
strings:
$x1 = "Skip call to PackageRideArea(). Payload has already been packaged. Options -x and -q ignored." fullword ascii
$s2 = "ERROR: pGvars->pIntRideAreaImplantPayload is NULL" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Legitimate system update using msiexec.exe
Filter/Exclusion: process.name != "msiexec.exe" or process.name contains "update"
Scenario: Scheduled backup job using vssadmin.exe
Filter/Exclusion: process.name contains "vssadmin" or process.name contains "backup"
Scenario: Admin task using taskhost.exe for scheduled tasks
Filter/Exclusion: process.name contains "taskhost" or process.parent.name contains "schtasks"
Scenario: Network discovery using net.exe or nbtstat.exe
Filter/Exclusion: process.name contains "net" or process.name contains "nbtstat"
Scenario: Legitimate software installation using msiexec.exe or setup.exe
Filter/Exclusion: process.name contains "setup" or process.name contains "msiexec" and process.command_line contains "/i"