Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of advanced persistent threat techniques to exfiltrate data or establish persistence within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by sophisticated adversaries leveraging known malware artifacts.

YARA Rule

rule EquationGroup_Toolset_Apr17_Erraticgophertouch_1_0_1 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "729eacf20fe71bd74e57a6b829b45113c5d45003933118b53835779f0b049bad"
   strings:
      $x1 = "[-] Unable to connect to broswer named pipe, target is NOT vulnerable" fullword ascii
      $x2 = "[-] Unable to bind to Dimsvc RPC syntax, target is NOT vulnerable" fullword ascii
      $x3 = "[+] Bound to Dimsvc, target IS vulnerable" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 30KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
  Filter/Exclusion: Exclude processes where ImageLoaded contains schtasks.exe and CommandLine includes /create or /run with a known maintenance task name.

• Scenario: Admin Performing Disk Cleanup
  Description: An administrator using cleanmgr.exe (Disk Cleanup) to free up disk space, which may trigger the rule due to similar process behavior.
  Filter/Exclusion: Exclude processes where ImageLoaded is cleanmgr.exe and CommandLine includes /d or /f with a specific drive letter.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate antivirus or endpoint protection tool, such as Microsoft Defender or Malwarebytes, performing a full system scan.
  Filter/Exclusion: Exclude processes where ImageLoaded contains mpengine.dll or mbam.exe and CommandLine includes /fullscan or /scantype.

• Scenario: PowerShell Script for System Monitoring
  Description: A PowerShell script, such as powershell.exe, running a monitoring script for system performance or log analysis.
  Filter/Exclusion: Exclude processes where ImageLoaded is powershell.exe and CommandLine includes -File with a known internal script path (e.g., C:\Windows\System32\scripts\monitor.ps1).

• Scenario: Log File Compression or Archiving Task
  Description: A task using compact.exe or icacls.exe to compress or archive log files as part of a standard log management process.
  Filter/Exclusion: Exclude processes where ImageLoaded is