Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-lived, stealthy threats that may have evaded traditional detection mechanisms.

YARA Rule

rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RPC2_15 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      super_rule = 1
      hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f"
      hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
      hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674"
      hash4 = "5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337"
   strings:
      $x1 = "** SendAndReceive ** - EXCEPTION_EXECUTE_HANDLER" fullword ascii
      $s8 = "Binding to RPC Interface %s over named pipe" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script or tool that matches the behavior of the EquationGroup tool (e.g., schtasks.exe executing a script with similar command-line arguments).
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or Task Scheduler in the process tree, and exclude tasks with known maintenance scripts (e.g., Cleanup-SystemTemp.ps1).

• Scenario: Windows Update or Patching Job
  Description: A Windows Update or patching job uses tools like wusa.exe or dism.exe that may exhibit similar network behavior to the EquationGroup tool.
  Filter/Exclusion: Exclude processes with wusa.exe, dism.exe, or WindowsUpdate.exe in the process name, or filter by ParentProcessName being svchost.exe or taskhost.exe.

• Scenario: Database Backup or Restore Operation
  Description: A database backup tool like sqlbackup.exe or mysqldump.exe may trigger the rule due to similar file or network activity.
  Filter/Exclusion: Exclude processes with sqlbackup.exe, mysqldump.exe, or mysql.exe in the process name, and filter by destination paths like C:\Program Files\MySQL\ or C:\Program Files\Microsoft SQL Server\.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate antivirus tool like mpcmdrun.exe (Microsoft Defender) or avgscan.exe may trigger the rule due to similar file access or network behavior.
  Filter/Exclusion: Exclude processes with mpcmdrun.exe, avgscan.exe, or microsoft defender in the process name, and filter by known antivirus directories (e