The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that may have evaded traditional detection methods.
YARA Rule
rule EquationGroup_Toolset_Apr17_Ifconfig_Target {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "1ebfc0ce7139db43ddacf4a9af2cb83a407d3d1221931d359ee40588cfd0d02b"
strings:
$s1 = "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\%hs" fullword wide
$op1 = { 0f be 37 85 f6 0f 85 4e ff ff ff 45 85 ed 74 21 }
$op2 = { 4c 8d 44 24 34 48 8d 57 08 41 8d 49 07 e8 a6 4b }
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task running a system maintenance script (e.g., schtasks.exe) that uses certutil to verify a certificate or update system trust stores.
Filter/Exclusion: Check for ProcessName containing schtasks.exe or certutil used in a known maintenance script path (e.g., C:\Windows\System32\certutil.exe).
Scenario: Admin Performing Certificate Authority (CA) Operations
Description: A system administrator manually updates or verifies certificates using certutil as part of managing the enterprise Certificate Authority (CA) infrastructure.
Filter/Exclusion: Filter by ProcessUser matching known admin accounts or check for CommandLine containing CA-related operations (e.g., certutil -addstore -user TrustedPublisher).
Scenario: PowerShell Script for Certificate Management
Description: A PowerShell script (e.g., certutil.exe invoked via powershell.exe) is used to manage certificates on a server, such as importing or exporting certificates for compliance.
Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for CommandLine that includes certificate management commands or paths to known enterprise scripts.
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool like Microsoft Defender or McAfee performs a scan and uses certutil to verify digital signatures of scanned files.
Filter/Exclusion: Check for ProcessName containing mpcmdrun.exe (Microsoft Defender) or mfev.exe (McAfee), or filter based on ProcessUser associated with the endpoint protection service.
Scenario: Software Update or Patch Deployment
Description: A patching tool like **Microsoft System Center