Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary use of a sophisticated, previously disclosed malware toolkit, which may be used for persistent, stealthy network infiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term compromise and data exfiltration risks.

YARA Rule

rule EquationGroup_Toolset_Apr17_Explodingcantouch_1_2_1 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "0cdde7472b077610d0068aa7e9035da89fe5d435549749707cae24495c8d8444"
   strings:
      $x1 = "[-] Connection closed by remote host (TCP Ack/Fin)" fullword ascii
      $s2 = "[!]Warning: Error on first request - path size may actually be larger than indicated." fullword ascii
      $s4 = "<http://%s/%s> (Not <locktoken:write1>) <http://%s/>" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 150KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task running schtasks.exe or task scheduler to perform system maintenance (e.g., disk cleanup, log rotation) may trigger the rule due to similar command-line patterns.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or taskhost.exe, and filter out tasks with known maintenance names (e.g., Cleanup, LogRotate).

• Scenario: Admin Using PowerShell to Analyze System Logs
  Description: An administrator using PowerShell to analyze system logs or perform forensic analysis may invoke similar command-line structures as the EquationGroup tool.
  Filter/Exclusion: Filter events where ProcessName is powershell.exe and the command line includes Get-EventLog, Get-WinEvent, or Get-Log.

• Scenario: Antivirus or EDR Tool Performing Full System Scan
  Description: A legitimate antivirus or EDR tool (e.g., Kaspersky, CrowdStrike, Bitdefender) may execute similar processes or scripts during a full system scan, triggering the rule.
  Filter/Exclusion: Filter out processes with known EDR/AV tool names (e.g., kavsvc.exe, frs.exe, bitdefender.exe) or check for known AV process names in the ProcessName field.

• Scenario: System File Integrity Check Using DISM
  Description: A system administrator running DISM.exe to check or repair system files may generate similar process behavior as the EquationGroup tool.
  Filter/Exclusion: Filter events where ProcessName is dism.exe and the command line includes ScanHealth, CheckHealth, or RestoreHealth.

• **Scenario: Legitimate Script Execution for Patch