The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary activity leveraging a known malware toolkit, which may be used for data exfiltration or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threats that may have already infiltrated the network.
YARA Rule
rule EquationGroup_Toolset_Apr17_greatdoc_dll_config {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "fd9d0abfa727784dd07562656967d220286fc0d63bcf7e2c35d4c02bc2e5fc2e"
strings:
$x1 = "C:\\Projects\\GREATERDOCTOR\\trunk\\GREATERDOCTOR" ascii
$x2 = "src\\build\\Release\\dllConfig\\dllConfig.pdb" ascii
$x3 = "GREATERDOCTOR [ commandline args configuration ]" fullword ascii
$x4 = "-useage: <scanner> \"<cmdline args>\"" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task running schtasks.exe or task scheduler to perform system maintenance (e.g., disk cleanup, log rotation).
Filter/Exclusion: Check for ProcessName containing schtasks.exe or taskhost.exe, and filter out tasks with known maintenance names (e.g., DiskCleanup, LogClean).
Scenario: Windows Update or Patching Job
Description: A Windows Update or patching job using wusa.exe or msiexec.exe to install updates.
Filter/Exclusion: Filter out processes with wusa.exe or msiexec.exe and check for update-related command-line arguments (e.g., /quiet, /norestart).
Scenario: Database Backup or Restore Operation
Description: A database backup or restore process using tools like sqlbackup.exe (SQL Server) or mongodump (MongoDB).
Filter/Exclusion: Check for known database tools in the ProcessName field and filter based on command-line arguments related to backup/restore operations.
Scenario: Antivirus or Endpoint Protection Scan
Description: A scheduled scan by an antivirus product (e.g., avgscan.exe, mcafee_virus_scan.exe, avgnt.exe).
Filter/Exclusion: Filter out processes associated with known antivirus vendors and check for command-line arguments indicating a scan or update operation.
Scenario: Log File Analysis or Monitoring Tool
Description: A log analysis tool like logparser.exe or splunkforwarder.exe processing system or application logs.
Filter/Exclusion: Filter based on ProcessName containing logparser.exe, splunkforwarder.exe, or similar tools,