Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of a sophisticated, legacy malware family that may be used for long-term persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_Iistouch_1_2_2 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "c433507d393a8aa270576790acb3e995e22f4ded886eb9377116012e247a07c6"
   strings:
      $x1 = "[-] Are you being redirectect? Need to retarget?" fullword ascii
      $x2 = "[+] IIS Target OS: %s" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 60KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Legitimate System File Access
  Description: A system process or service (e.g., svchost.exe, lsass.exe) accesses files in the same directory as the EquationGroup tool, triggering the rule due to file path similarity.
  Filter/Exclusion: Exclude processes associated with known system services or use a filter like process.parent_process_name != "svchost.exe" or process.name in ("lsass.exe", "services.exe").

• Scenario: Scheduled Job Execution
  Description: A legitimate scheduled task (e.g., Task Scheduler job named “Disk Cleanup” or “Windows Update”) runs a script or executable that matches the EquationGroup tool’s file signature.
  Filter/Exclusion: Exclude tasks with names containing “Cleanup”, “Update”, or “Backup” using a filter like process.name contains "Cleanup" or process.name contains "Update".

• Scenario: Admin Tool Usage
  Description: An administrator uses a legitimate tool like PowerShell or PsExec to run a script that mimics EquationGroup behavior (e.g., file enumeration or registry access).
  Filter/Exclusion: Exclude processes launched via PowerShell with process.name == "powershell.exe" and check for process.command_line contains " -Command" or process.command_line contains "Invoke-Command".

• Scenario: Antivirus Quarantine Activity
  Description: A legitimate antivirus tool (e.g., Windows Defender, Malwarebytes) quarantines a file that matches the EquationGroup tool’s signature, causing the rule to trigger.
  Filter/Exclusion: Exclude processes with process.name == "Windows Defender" or process.name == "mbam.exe" and check for process.command_line contains "quarantine" or "delete".

• **Scenario: Log File Parsing or