Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_EXPA {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "2017176d3b5731a188eca1b71c50fb938c19d6260c9ff58c7c9534e317d315f8"
   strings:
      $x1 = "* The target is IIS 6.0 but is not running content indexing servicess," fullword ascii
      $x2 = "--ver 6 --sp <service_pack> --lang <language> --attack shellcode_option[s]sL" fullword ascii
      $x3 = "By default, the shellcode will attempt to immediately connect s$" fullword ascii
      $x4 = "UNEXPECTED SHELLCODE CONFIGURATION ERRORs" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 12000KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task using schtasks.exe or task scheduler is running a maintenance script that includes base64 encoded content.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or taskhost.exe, and filter out tasks with known maintenance scripts (e.g., cleanmgr.exe, defrag.exe).

• Scenario: Admin Using PowerShell to Decompress Files
  Description: An administrator is using PowerShell (powershell.exe) to decompress a legitimate archive file (e.g., .zip or .tar.gz) using base64 encoding.
  Filter/Exclusion: Filter out processes where ProcessName is powershell.exe and the command line includes Expand-Archive, ConvertFrom-StringData, or Out-File with known archive formats.

• Scenario: Log Parsing or Data Extraction Tool
  Description: A log parsing tool like logparser.exe or splunk is processing logs that contain base64 encoded strings as part of data extraction.
  Filter/Exclusion: Filter out processes with ProcessName containing logparser.exe, splunk, or logstash, and exclude any base64 strings that match known log formats or data fields.

• Scenario: Software Update or Patch Deployment
  Description: A patch deployment tool like wsusutil.exe or update.exe is using base64 encoding to transfer update payloads over a network.
  Filter/Exclusion: Filter out processes with ProcessName containing wsusutil.exe, update.exe, or msiexec.exe, and exclude any base64 strings that match known update payload signatures.

• Scenario: Internal Data Encoding for Internal Tools
  Description: An internal