Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of a sophisticated, previously disclosed malware toolkit, which may be leveraged for persistent or data exfiltration activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term threats from advanced adversaries exploiting known vulnerabilities.

YARA Rule

rule EquationGroup_Toolset_Apr17_Englishmansdentist_1_2_0 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "2a6ab28885ad7d5d64ac4c4fb8c619eca3b7fb3be883fc67c90f3ea9251f34c6"
   strings:
      $x1 = "[+] CheckCredentials(): Checking to see if valid username/password" fullword ascii
      $x2 = "Error connecting to target, TbMakeSocket() %s:%d." fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Legitimate System Update via Windows Update
  Description: A system update from Microsoft’s Windows Update may include components that match the EquationGroup signature due to shared code or naming conventions.
  Filter/Exclusion: Exclude processes where the parent process is svchost.exe and the command line includes wuauclt.exe or WindowsUpdate.exe.

• Scenario: Scheduled Job Running Microsoft Baseline Security Analyzer (MSBAS)
  Description: The MSBAS tool is used to scan for security updates and may generate network traffic that resembles EquationGroup behavior.
  Filter/Exclusion: Exclude processes where the command line includes mbsacli.exe or mbsa.exe and the parent process is schtasks.exe.

• Scenario: Admin Performing PowerShell Script for Patch Management
  Description: An administrator may run a PowerShell script to apply patches or configure system settings, which could trigger the rule due to similar command-line arguments or process names.
  Filter/Exclusion: Exclude processes where the command line includes powershell.exe and the script path contains PatchManagement.ps1 or similar known admin scripts.

• Scenario: Legitimate Use of Microsoft Defender ATP for Threat Hunting
  Description: Microsoft Defender ATP may initiate network activity to query Microsoft’s threat intelligence services, which could be misinterpreted as EquationGroup activity.
  Filter/Exclusion: Exclude processes where the parent process is MsDefenderATP.exe or Microsoft Defender ATP and the command line includes ThreatIntelQuery or ThreatIntel.

• Scenario: Backup Job Using Veeam or Acronis
  Description: Backup tools like Veeam or Acronis may use network protocols or connection patterns that resemble EquationGroup traffic during data transfer.
  Filter/Exclusion: Exclude processes where the command