Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary activity leveraging a known malware variant associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that may evade traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_GenKey {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "b6f100b21da4f7e3927b03b8b5f0c595703b769d5698c835972ca0c81699ff71"
   strings:
      $x1 = "* PrivateEncrypt -> PublicDecrypt FAILED" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 80KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
  Filter/Exclusion: Check for ProcessName = schtasks.exe and CommandLine containing known maintenance commands (e.g., cleanmgr, diskcleanup).

• Scenario: Windows Update Installer
  Description: The Windows Update installer (wuauclt.exe) may trigger the rule during a system update.
  Filter/Exclusion: Filter by ProcessName = wuauclt.exe and check for the presence of known update-related command-line arguments (e.g., /detectnow, /updatenow).

• Scenario: Antivirus Scan Using Malwarebytes
  Description: Malwarebytes or similar antivirus tools may use processes that resemble EquationGroup behavior during a deep system scan.
  Filter/Exclusion: Check for ProcessName = mbam.exe or ProcessName = malwarebytes.exe and verify the presence of known antivirus command-line switches.

• Scenario: Database Backup Job Using SQL Server Agent
  Description: A SQL Server Agent job running a backup task may trigger the rule due to similar process names or behaviors.
  Filter/Exclusion: Filter by ProcessName = sqlservr.exe or ProcessName = sqlagent.exe and check for known backup-related command-line parameters (e.g., -Backup).

• Scenario: PowerShell Script for System Monitoring
  Description: A legitimate PowerShell script running under a system admin account may trigger the rule due to similar file access or process creation patterns.
  Filter/Exclusion: Filter by ProcessName = powershell.exe and check for known admin scripts or paths (e.g., `C:\Windows\System32\WindowsPowerShell