The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary activity leveraging stolen malware components to execute malicious operations within the network. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be using legacy malware to evade traditional detection mechanisms.
YARA Rule
rule EquationGroup_Toolset_Apr17_Gen1 {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
super_rule = 1
hash1 = "1b5b33931eb29733a42d18d8ee85b5cd7d53e81892ff3e60e2e97f3d0b184d31"
hash2 = "139697168e4f0a2cc73105205c0ddc90c357df38d93dbade761392184df680c7"
strings:
$x1 = "Restart with the new protocol, address, and port as target." fullword ascii
$x2 = "TargetPort : %s (%u)" fullword ascii
$x3 = "Error: strchr() could not find '@' in account name." fullword ascii
$x4 = "TargetAcctPwd : %s" fullword ascii
$x5 = "Creating CURL connection handle..." fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 80KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
Filter/Exclusion: Check for ProcessName = "schtasks.exe" and CommandLine containing known maintenance commands (e.g., cleanmgr, diskcleanup).
Scenario: Microsoft Equation Group Tool (Legitimate Use)
Description: A legitimate use of the Equation Group tool (e.g., eqgutil.exe) for cryptographic operations or data processing in a secure environment.
Filter/Exclusion: Check for ProcessName = "eqgutil.exe" and verify if the process is running from a known, trusted location (e.g., C:\Program Files\Microsoft\...).
Scenario: Admin Task Using PowerShell for Script Execution
Description: An administrator running a PowerShell script to automate routine tasks, which may include similar command-line patterns to the EquationGroup tool.
Filter/Exclusion: Check for ProcessName = "powershell.exe" and verify if the script path is from a known admin directory (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\).
Scenario: Antivirus or EDR Tool Scanning for Malware
Description: A security tool like Microsoft Defender or CrowdStrike running a scan that may trigger similar command-line patterns.
Filter/Exclusion: Check for ProcessName = "MsMpEng.exe" or "CsiClient.exe" and verify if the process is associated with a known security tool.
Scenario: Network Configuration or DNS Tool Usage
Description: A legitimate use of a network tool like nslookup.exe or ipconfig.exe that may generate similar command-line activity.
*Filter/