Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of sophisticated, legacy malware often associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term persistence mechanisms that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RideArea2_12 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      super_rule = 1
      hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f"
      hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
      hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674"
      hash4 = "e702223ab42c54fff96f198611d0b2e8a1ceba40586d466ba9aadfa2fd34386e"
   strings:
      $x2 = "** CreatePayload ** - EXCEPTION_EXECUTE_HANDLER" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Legitimate system update using msiexec.exe
  Filter/Exclusion: process.name == "msiexec.exe" && process.args contains " /quiet" && process.args contains " /norestart"

• Scenario: Scheduled backup job using vssadmin.exe
  Filter/Exclusion: process.name == "vssadmin.exe" && process.args contains " ShadowCopyCreate"

• Scenario: Admin task using taskkill.exe to terminate a process
  Filter/Exclusion: process.name == "taskkill.exe" && process.args contains "/F /IM"

• Scenario: Legitimate use of regsvr32.exe to register a DLL
  Filter/Exclusion: process.name == "regsvr32.exe" && process.args contains " /s" && process.args contains " <dllname>.dll"

• Scenario: PowerShell script running a scheduled maintenance task
  Filter/Exclusion: process.name == "powershell.exe" && process.args contains " -Command" && process.args contains "Get-ChildItem" && process.args contains " -Path"