Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats, which may be used for data exfiltration or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term compromise of critical systems.

YARA Rule

rule EquationGroup_Toolset_Apr17__ETBL_ETRE_SMBTOUCH_17 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      super_rule = 1
      hash1 = "70db3ac2c1a10de6ce6b3e7a7890c37bffde006ea6d441f5de6d8329add4d2ef"
      hash2 = "e0f05f26293e3231e4e32916ad8a6ee944af842410c194fce8a0d8ad2f5c54b2"
      hash3 = "7da350c964ea43c149a12ac3d2ce4675cedc079ddc10d1f7c464b16688305309"
   strings:
      $x1 = "ERROR: Connection terminated by Target (TCP Ack/Fin)" fullword ascii
      $s2 = "Target did not respond within specified amount of time" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 300KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task (e.g., Task Scheduler job) runs a script or executable that matches the behavior of the EquationGroup tool.
  Filter/Exclusion: Check for CommandLine containing known maintenance scripts (e.g., schtasks.exe, wmic.exe, or paths to system tools like diskcleanup.exe). Exclude processes with Task Scheduler or Microsoft in the parent process name.

• Scenario: Antivirus or EDR Scan
  Description: A security tool (e.g., Microsoft Defender, CrowdStrike, or Kaspersky) performs a full system scan and executes processes that match the EquationGroup signature.
  Filter/Exclusion: Exclude processes with mpcmdrun.exe, mpengine.exe, or any known EDR/AV tool binaries. Filter by ProcessName or ParentProcessName containing AV/EDR keywords.

• Scenario: PowerShell Script for System Configuration
  Description: A PowerShell script (e.g., PowerShell.exe) is used to configure system settings, update software, or manage services, and the script’s behavior triggers the EquationGroup detection rule.
  Filter/Exclusion: Exclude processes with powershell.exe where the CommandLine includes -Command or -File arguments pointing to known configuration scripts (e.g., Update-System.ps1, Configure-Services.ps1). Filter by User or ProcessStartInfo to exclude admin scripts.

• Scenario: Windows Update or Patching Job
  Description: A Windows Update or patching job (e.g., wusa.exe, dism.exe) is executed, and the detection rule incorrectly flags it as EquationGroup activity.
  Filter/Exclusion: Exclude processes with wusa.exe, `dism