Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary activity leveraging a known malware variant associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated adversaries exploiting legacy or unpatched systems.

YARA Rule

rule EquationGroup_Toolset_Apr17_Esteemaudittouch_2_1_0 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "f6b9caf503bb664b22c6d39c87620cc17bdb66cef4ccfa48c31f2a3ae13b4281"
   strings:
      $x1 = "[-] Touching the target failed!" fullword ascii
      $x2 = "[-] OS fingerprint not complete - 0x%08x!" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup job, may trigger the rule due to similar command-line arguments or file names.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe with known maintenance job names (e.g., Cleanup-System-Logs), or filter by process parent process if known.

• Scenario: Microsoft Equation Group Tool (Legitimate Use)
  Description: The EquationGroup tool, which is part of Microsoft’s security research, may be used in legitimate security testing or threat hunting activities.
  Filter/Exclusion: Exclude processes where the file path includes C:\Windows\System32\ or where the process is initiated by a known security tool (e.g., Microsoft Defender ATP).

• Scenario: Admin PowerShell Script Execution
  Description: An administrator may run a PowerShell script that includes similar command-line arguments or file operations as the EquationGroup tool.
  Filter/Exclusion: Exclude PowerShell processes initiated by powershell.exe with a known admin script name (e.g., Admin-System-Check.ps1) or with a parent process of explorer.exe or cmd.exe.

• Scenario: Antivirus or EDR Tool Scanning Activity
  Description: Antivirus or EDR tools like Microsoft Defender, CrowdStrike, or SentinelOne may perform file scanning or memory inspection that mimics the behavior of the EquationGroup tool.
  Filter/Exclusion: Exclude processes where the executable name matches known EDR/AV tools (e.g., MsMpEng.exe, Csws.exe, SentinelOne.exe) or where the process is associated with a known security tool.

• Scenario: Legitimate File Copy or Archive Operation
  Description: A legitimate file copy or archive operation (