Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of advanced persistent threat techniques to exfiltrate data or establish persistence within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by sophisticated adversaries leveraging known malware artifacts.

YARA Rule

rule EquationGroup_Toolset_Apr17__ESKE_RPC2_8 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      super_rule = 1
      hash1 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
      hash2 = "5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337"
   strings:
      $s4 = "Fragment: Packet too small to contain RPC header" fullword ascii
      $s5 = "Fragment pickup: SmbNtReadX failed" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 700KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe and CommandLine containing /create or /run with known maintenance scripts.

• Scenario: Admin Performing Disk Cleanup
  Description: An administrator using cleanmgr.exe (Disk Cleanup) to remove temporary files or system cache.
  Filter/Exclusion: Filter by ProcessName equal to cleanmgr.exe and exclude processes running from the system directory (C:\Windows\System32).

• Scenario: PowerShell Script for Log Rotation
  Description: A PowerShell script (powershell.exe) used to rotate and archive log files, which may involve file system operations similar to malicious activity.
  Filter/Exclusion: Check for CommandLine containing logrotate or rotate and verify the script path is in a known trusted directory (e.g., C:\Scripts).

• Scenario: Antivirus Quarantine Process
  Description: A legitimate process such as avgscan.exe or mcafee.exe performing a scan and moving files to quarantine.
  Filter/Exclusion: Filter by ProcessName matching known antivirus executables and check for CommandLine containing scan or quarantine.

• Scenario: Database Backup Job Execution
  Description: A database backup tool like sqlbackup.exe or mysqldump.exe running a scheduled backup job, which may involve file system access.
  Filter/Exclusion: Check for ProcessName matching the backup tool and verify the command line includes known backup parameters or paths.