The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-standing threats that may have evaded traditional detection methods.
YARA Rule
rule EquationGroup_Toolset_Apr17_Eternalromance {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
super_rule = 1
hash1 = "f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d"
hash2 = "b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b"
strings:
$x1 = "[-] Error: Exploit choice not supported for target OS!!" fullword ascii
$x2 = "Error: Target machine out of NPP memory (VERY BAD!!) - Backdoor removed" fullword ascii
$x3 = "[-] Error: Backdoor not present on target" fullword ascii
$x4 = "*********** TARGET ARCHITECTURE IS X64 ************" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them ) or 2 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task running a script or tool like schtasks.exe or task scheduler that performs routine system maintenance.
Filter/Exclusion: Exclude processes associated with schtasks.exe or task scheduler with known maintenance scripts.
Scenario: Windows Update or Patching Process
Description: The system is running a Windows Update or patching process using tools like wusa.exe or dism.exe.
Filter/Exclusion: Exclude processes initiated by wusa.exe, dism.exe, or associated with the Windows Update service (wuauserv).
Scenario: Database Backup Job Using SQL Server Agent
Description: A SQL Server Agent job is executing a backup using sqlcmd.exe or sqlbackup.exe as part of a routine backup process.
Filter/Exclusion: Exclude processes with sqlcmd.exe or sqlbackup.exe that are associated with known backup jobs or SQL Server Agent tasks.
Scenario: Log File Analysis Using PowerShell Script
Description: A PowerShell script is being run by an admin to analyze log files using powershell.exe, which may involve parsing or filtering log data.
Filter/Exclusion: Exclude processes with powershell.exe that are associated with known administrative scripts or log analysis tools.
Scenario: Security Software Scanning Activity
Description: A security tool like Malwarebytes, Bitdefender, or Kaspersky is performing a scan using its own executable or command-line interface.
Filter/Exclusion: Exclude processes with the executable names of known security software (e.g., mbam.exe, bdagent.exe, kavsvc.exe) or associated command-line tools.