Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17__ETBL_ETRE_10 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      super_rule = 1
      hash1 = "70db3ac2c1a10de6ce6b3e7a7890c37bffde006ea6d441f5de6d8329add4d2ef"
      hash2 = "e0f05f26293e3231e4e32916ad8a6ee944af842410c194fce8a0d8ad2f5c54b2"
   strings:
      $x1 = "Probe #2 usage: %s -i TargetIp -p TargetPort -r %d [-o TimeOut] -t Protocol -n IMailUserName -a IMailPassword" fullword ascii
      $x6 = "** RunExploit ** - EXCEPTION_EXECUTE_HANDLER : 0x%08X" fullword ascii
      $s19 = "Sending Implant Payload.. cEncImplantPayload size(%d)" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task running a maintenance script (e.g., schtasks.exe) that uses certutil to verify a certificate, which may trigger the rule due to the presence of certutil.
  Filter/Exclusion: Exclude processes where certutil is used in conjunction with schtasks.exe and the command line includes -url or -f flags for certificate verification.

• Scenario: Windows Update or Patching Process
  Description: A Windows Update or patching process that uses certutil to validate digital signatures of updates, which may be flagged by the rule.
  Filter/Exclusion: Exclude processes where certutil is executed by wuauclt.exe or wuauserv.exe and the command line contains -url or -f.

• Scenario: Admin Task Using Certutil for Certificate Management
  Description: An administrator manually using certutil to manage or import certificates, which may be flagged as part of the EquationGroup tool.
  Filter/Exclusion: Exclude processes where certutil is executed by an admin account and the command line includes -addstore or -importpfx for certificate management.

• Scenario: Third-Party Tool Using Certutil for Secure Communication
  Description: A third-party enterprise tool (e.g., BitLocker, TLS/SSL diagnostic tools) that uses certutil to verify secure connections, which may trigger the rule.
  Filter/Exclusion: Exclude processes where certutil is used by known enterprise tools such as certutil.exe in the context of BitLocker or TLS/SSL diagnostics.

• Scenario: Malware Analysis or Forensic Tool Execution
  Description: A malware analysis or forensic tool (e