Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary activity leveraging a known malware variant associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated adversaries exploiting legacy or unpatched systems.

YARA Rule

rule EquationGroup_Toolset_Apr17_Esteemaudit_2_1_0 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "61f98b12c52739647326e219a1cf99b5440ca56db3b6177ea9db4e3b853c6ea6"
   strings:
      $x1 = "[+] Connected to target %s:%d" fullword ascii
      $x2 = "[-] build_exploit_run_x64():" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task using schtasks.exe or Task Scheduler is running a maintenance script that includes base64 encoded content.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or Task Scheduler and exclude tasks with known maintenance scripts.

• Scenario: Admin Using PowerShell to Decode Base64 Strings
  Description: An admin is using PowerShell to decode base64 strings as part of a script or troubleshooting.
  Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for cmdline containing -EncodedCommand or ConvertFrom-String.

• Scenario: Network Device Configuration Backup via Base64
  Description: A network device configuration is being exported in base64 format via a script or tool like netsh or Cisco Configuration Exporter.
  Filter/Exclusion: Filter by ProcessName containing netsh.exe, ciscoconf.tcl, or similar network tools and exclude known backup scripts.

• Scenario: Log File Parsing Using Base64 Encoding
  Description: A log file is being parsed using a script that encodes or decodes log entries in base64 as part of a data processing pipeline.
  Filter/Exclusion: Filter by ProcessName containing python.exe or logparser.exe and check for cmdline containing base64 or decode.

• Scenario: Security Tool Using Base64 for Encrypted Payloads
  Description: A security tool like OSSEC or Splunk is using base64 encoding for encrypted payloads or data transfer.
  Filter/Exclusion: Filter by ProcessName containing ossec.exe, splunkd.exe,