The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary activity leveraging a known malware variant associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated attackers using legacy or repurposed malware.
YARA Rule
rule EquationGroup_Toolset_Apr17_EpWrapper {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "a8eed17665ee22198670e22458eb8c9028ff77130788f24f44986cce6cebff8d"
strings:
$x1 = "* Failed to get remote TCP socket address" fullword wide
$x2 = "* Failed to get 'LPStart' export" fullword wide
$s5 = "Usage: %ls <logdir> <dll_search_path> <dll_to_load_path> <socket>" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 20KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled system maintenance or patching using PowerShell scripts
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%-File%'
Scenario: Legitimate use of Windows Task Scheduler to run administrative tasks
Filter/Exclusion: process.name != "schtasks.exe" OR process.args NOT LIKE '/RU SYSTEM'
Scenario: Use of Windows Management Instrumentation (WMI) for system monitoring
Filter/Exclusion: process.name != "wmic.exe" OR process.args NOT LIKE 'path'
Scenario: Execution of Microsoft Sysinternals tools like Process Explorer or Procmon
Filter/Exclusion: process.name NOT IN ("procmon.exe", "process.explorer.exe")
Scenario: Running Windows Update or Group Policy refresh tasks
Filter/Exclusion: process.name != "wuauclt.exe" AND process.name != "gpupdate.exe"