Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary activity leveraging a known malware toolkit, which may be used for data exfiltration or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats.

YARA Rule

rule EquationGroup_Toolset_Apr17_FullThreadDump {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "b68f3f32bfa6cf11145c9fb9bf0075a5ca3938ea218b1cc29ad62f7b9e043255"
   strings:
      $s1 = "FullThreadDump.class" fullword ascii
      $s2 = "ThreadMonitor.class" fullword ascii
      $s3 = "Deadlock$DeadlockThread.class" fullword ascii
   condition:
      ( uint16(0) == 0x4b50 and filesize < 30KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Legitimate System Update via Windows Update
  Description: A Windows Update process may trigger the same network behavior as the EquationGroup tool due to similar outbound connections.
  Filter/Exclusion: Check for process.name containing wuauclt.exe or Windows Update in the process name.

• Scenario: Scheduled Job Running PowerShell Script for Configuration Management
  Description: A scheduled PowerShell script (e.g., from Puppet, Chef, or Ansible) may perform similar file or registry modifications as the EquationGroup tool.
  Filter/Exclusion: Filter by process.name containing powershell.exe and check for known configuration management tool signatures in the command line.

• Scenario: Admin Task Using Process Monitor (ProcMon) for Debugging
  Description: An administrator may use Process Monitor (ProcMon) to debug application behavior, which could trigger similar file system access patterns.
  Filter/Exclusion: Filter by process.name containing procmon.exe or ProcessMonitor.exe.

• Scenario: Legitimate Use of Mimikatz for Credential Dumping (for Security Audits)
  Description: Security teams may use Mimikatz during authorized security audits, which could trigger the same network or file activity as the EquationGroup tool.
  Filter/Exclusion: Filter by process.name containing mimikatz.exe or check for known security audit tools in the command line.

• Scenario: Antivirus or Endpoint Protection Software Performing Full System Scan
  Description: Antivirus tools like Bitdefender, Kaspersky, or Microsoft Defender may perform full system scans that include similar file access or network activity.
  Filter/Exclusion: Filter by process.name containing mpsvc.exe, mfev.exe, or avp.exe (depending on the vendor).