Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_GangsterThief_Implant {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "50b269bda5fedcf5a62ee0514c4b14d48d53dd18ac3075dcc80b52d0c2783e06"
   strings:
      $s1 = "\\\\.\\%s:" fullword wide
      $s4 = "raw_open CreateFile error" fullword ascii
      $s5 = "-PATHDELETED-" fullword ascii
      $s6 = "(deleted)" fullword wide
      $s8 = "NULLFILENAME" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 300KB and 3 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task using schtasks.exe or Task Scheduler is performing routine system maintenance, such as disk cleanup or log rotation.
  Filter/Exclusion: Exclude processes associated with schtasks.exe or Task Scheduler running from the System or Local System account.

• Scenario: Microsoft Equation Group Tool (Legitimate Use)
  Description: A legitimate Microsoft tool or script related to Equation Group (e.g., eqg.exe or eqgtool.exe) is being executed as part of a known enterprise toolset or legacy system.
  Filter/Exclusion: Exclude processes where the file path contains known Microsoft Equation Group tools and is signed by Microsoft.

• Scenario: Admin PowerShell Script for Patch Management
  Description: A PowerShell script (powershell.exe) is being run by an admin to deploy patches or updates, which may include commands similar to those in the EquationGroup tool.
  Filter/Exclusion: Exclude processes where the command line includes known patch management tools or scripts (e.g., PSConfig, WSUS, or Update.exe).

• Scenario: Log File Analysis by Security Tools
  Description: A security tool like Splunk, ELK Stack, or SIEM is analyzing log files and generating events that resemble the EquationGroup tool’s behavior.
  Filter/Exclusion: Exclude processes related to log analysis tools or SIEM platforms, or filter events where the source is a known log analysis service.

• Scenario: Third-Party Software with Similar Behavior
  Description: A third-party enterprise application (e.g., Symantec, McAfee, or Kaspersky) is performing system scans or integrity checks, which may trigger similar detection logic.
  *Filter/Exclusion