Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of the EquationGroup Tool, specifically the April Leak variant, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by sophisticated adversaries leveraging known malware.

YARA Rule

rule EquationGroup_Toolset_Apr17_GetAdmin_LSADUMP_ModifyPrivilege_Implant {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "c8b354793ad5a16744cf1d4efdc5fe48d5a0cf0657974eb7145e0088fcf609ff"
      hash2 = "5f06ec411f127f23add9f897dc165eaa68cbe8bb99da8f00a4a360f108bb8741"
   strings:
      $s1 = "\\system32\\win32k.sys" fullword wide
      $s2 = "hKeAddSystemServiceTable" fullword ascii
      $s3 = "hPsDereferencePrimaryToken" fullword ascii
      $s4 = "CcnFormSyncExFBC" fullword wide
      $s5 = "hPsDereferencePrimaryToken" fullword ascii

      $op1 = { 0c 2b ca 8a 04 11 3a 02 75 01 47 42 4e 75 f4 8b }
      $op2 = { 14 83 c1 05 80 39 85 75 0c 80 79 01 c0 75 06 80 }
      $op3 = { eb 3d 83 c0 06 33 f6 80 38 ff 75 2c 80 78 01 15 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 80KB and ( 4 of ($s*) or all of ($op*) ) )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that uses certutil or powershell to query certificate stores, which may resemble the EquationGroup tool’s behavior.
  Filter/Exclusion: process.name == "schtasks.exe" or process.name == "task scheduler"

• Scenario: Windows Update or Patching Process
  Description: Windows Update may execute scripts or use tools like wuauclt.exe or dism.exe that could trigger the rule due to similar command-line arguments or file access patterns.
  Filter/Exclusion: process.name == "wuauclt.exe" or process.name == "dism.exe"

• Scenario: Admin Performing Certificate Management
  Description: An administrator may use certutil to manage certificates, which is a common legitimate activity but could match the detection logic for EquationGroup.
  Filter/Exclusion: process.name == "certutil.exe" and user.name == "Administrator"

• Scenario: PowerShell Script for System Inventory
  Description: A PowerShell script run by a system admin to gather system information may use certutil or Get-ChildItem in a way that triggers the rule.
  Filter/Exclusion: process.name == "powershell.exe" and command_line contains "Get-ChildItem"

• Scenario: Antivirus or Endpoint Protection Scan
  Description: Some endpoint protection tools may use certutil or similar commands during a scan, which could be mistaken for EquationGroup activity.
  Filter/Exclusion: process.name == "mpcmdrun.exe" or process.name == "microsoft defender"