Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary use of a sophisticated, previously disclosed malware toolkit, which may be leveraged for data exfiltration or system compromise. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threats that may have already infiltrated the network.

YARA Rule

rule EquationGroup_Toolset_Apr17_Erraticgopher_1_0_1 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "3d11fe89ffa14f267391bc539e6808d600e465955ddb854201a1f31a9ded4052"
   strings:
      $x1 = "[-] Error appending shellcode buffer" fullword ascii
      $x2 = "[-] Shellcode is too big" fullword ascii
      $x3 = "[+] Exploit Payload Sent!" fullword ascii
      $x4 = "[+] Bound to Dimsvc, sending exploit request to opnum 29" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 150KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe and CommandLine containing /create or /run with known maintenance scripts.

• Scenario: Admin Performing Disk Cleanup
  Description: An administrator using cleanmgr.exe (Disk Cleanup) to free up disk space, which may trigger similar behavior to the EquationGroup tool.
  Filter/Exclusion: Filter by ProcessName equal to cleanmgr.exe and exclude processes running under non-administrator accounts.

• Scenario: Antivirus or EDR Scan
  Description: A security tool like Windows Defender or Microsoft Defender Antivirus performing a full system scan, which may generate similar network or file activity.
  Filter/Exclusion: Check for ProcessName containing MsMpEng.exe or Windows Defender and exclude processes with ParentProcessName matching known security tools.

• Scenario: PowerShell Script for Log Management
  Description: A legitimate PowerShell script (e.g., PowerShell.exe) used by the IT department to rotate or archive system logs, which may exhibit similar behavior to the EquationGroup tool.
  Filter/Exclusion: Filter by ProcessName equal to powershell.exe and check for CommandLine containing -Command or -File with known log management scripts.

• Scenario: Backup Job Execution
  Description: A backup tool like Veeam.exe or Acronis.exe running a scheduled backup job, which may involve file access patterns similar to the EquationGroup tool.
  Filter/Exclusion: Filter by ProcessName containing `Veeam.exe