The detection identifies potential use of the EquationGroup tool, specifically the April Leak variant, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of sophisticated malware execution and potential lateral movement within the network.
YARA Rule
rule EquationGroup_Toolset_Apr17_GrDo_FileScanner_Implant {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "8d2e43567e1360714c4271b75c21a940f6b26a789aa0fce30c6478ae4ac587e4"
strings:
$s1 = "system32\\winsrv.dll" fullword wide
$s2 = "raw_open CreateFile error" fullword ascii
$s3 = "\\dllcache\\" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled system maintenance or patching using PowerShell scripts
Filter/Exclusion: process.name != "powershell.exe" or process.args not contains "patch" or "update"
Scenario: Legitimate use of Windows Task Scheduler to run routine administrative tasks
Filter/Exclusion: process.name != "schtasks.exe" or process.args not contains "/create"
Scenario: Use of PsExec for remote administration or deploying software updates
Filter/Exclusion: process.name != "psexec.exe" or process.args not contains " -s" or " -u"
Scenario: Execution of Windows Management Instrumentation (WMI) queries for system monitoring
Filter/Exclusion: process.name != "wmic.exe" or process.args not contains "query" or "select"
Scenario: Running Microsoft System Center Configuration Manager (SCCM) tasks for software deployment
Filter/Exclusion: process.name != "ccmexec.exe" or process.args not contains "SoftwareDeployment" or "Deployment"