The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-lived, stealthy threats that may have evaded traditional detection mechanisms.
YARA Rule
rule EquationGroup_Toolset_Apr17__ELV_ESKE_ETBL_ETRE_EVFR_11 {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
super_rule = 1
hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f"
hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
hash3 = "70db3ac2c1a10de6ce6b3e7a7890c37bffde006ea6d441f5de6d8329add4d2ef"
hash4 = "e0f05f26293e3231e4e32916ad8a6ee944af842410c194fce8a0d8ad2f5c54b2"
hash5 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674"
strings:
$x1 = "Target is vulnerable" fullword ascii
$x2 = "Target is NOT vulnerable" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
Filter/Exclusion: Exclude processes where the command line includes schtasks.exe and the task is known to be part of standard maintenance routines (e.g., cleanmgr.exe, defrag.exe).
Scenario: Microsoft Equation Group Tool (Legitimate Use)
Description: A legitimate use of the Equation Group tool by IT administrators for system diagnostics or configuration.
Filter/Exclusion: Exclude processes where the file path is within Microsoft’s trusted directories (e.g., C:\Windows\System32\) and the process is associated with known Microsoft diagnostic tools.
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool like Windows Defender or Malwarebytes performing a full system scan, which may trigger similar behavior to the EquationGroup tool.
Filter/Exclusion: Exclude processes where the executable name matches known antivirus tools (e.g., MsMpEng.exe, mbam.exe) or where the process is initiated by a scheduled scan task.
Scenario: PowerShell Script for System Configuration
Description: A PowerShell script run by an administrator to configure system settings, which may include similar command-line arguments or file operations as the EquationGroup tool.
Filter/Exclusion: Exclude processes where the parent process is powershell.exe and the script path is known to be part of enterprise configuration management (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
Scenario: Log Management or Monitoring Tool Execution
Description: A log management tool like Splunk or ELK Stack running a script to process or analyze system