Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17__Emphasismine {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      super_rule = 1
      hash1 = "dcaf91bd4af7cc7d1fb24b5292be4e99c7adf4147892f6b3b909d1d84dd4e45b"
      hash2 = "348eb0a6592fcf9da816f4f7fc134bcae1b61c880d7574f4e19398c4ea467f26"
   strings:
      $x1 = "Error: Could not calloc() for shellcode buffer" fullword ascii
      $x2 = "shellcodeSize: 0x%04X + 0x%04X + 0x%04X = 0x%04X" fullword ascii
      $x3 = "Generating shellcode" fullword ascii
      $x4 = "([0-9a-zA-Z]+) OK LOGOUT completed" fullword ascii
      $x5 = "Error: Domino is not the expected version. (%s, %s)" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task using schtasks.exe or Task Scheduler is running a maintenance script that inadvertently matches the detection logic.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or Task Scheduler and exclude tasks with known maintenance scripts (e.g., Cleanup-SystemTemp or DiskCleanup).

• Scenario: Windows Update Installer
  Description: The Windows Update installer (wuauclt.exe) may trigger the rule due to similar process behavior or file hashes.
  Filter/Exclusion: Exclude processes with ProcessName containing wuauclt.exe or WindowsUpdate and filter by ParentProcessName like explorer.exe or svchost.exe.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate antivirus tool like Kaspersky, Bitdefender, or Malwarebytes may trigger the rule during a full system scan.
  Filter/Exclusion: Exclude processes with ProcessName matching the antivirus tool (e.g., kavsvc.exe, mbam.exe) or use a FileHash exclusion for known antivirus binaries.

• Scenario: PowerShell Script for System Configuration
  Description: A PowerShell script running under powershell.exe with System.Collections.Generic.List or similar .NET types may match the detection logic.
  Filter/Exclusion: Exclude processes with ProcessName containing powershell.exe and filter by CommandLine containing -Command or -File with known system management scripts.

• Scenario: Microsoft Deployment Toolkit (MDT) Task Sequence
  Description: A deployment task using MDT may involve processes that resemble EquationGroup behavior due to similar file operations or registry access.
  *