The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary activity leveraging compromised credentials or internal access to exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage persistent threats that may evade traditional detection methods.
YARA Rule
rule EquationGroup_Toolset_Apr17_KisuComms_Target_2000 {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "94eea1bad534a1dc20620919de8046c9966be3dd353a50f25b719c3662f22135"
strings:
$s1 = "363<3S3c3l3q3v3{3" fullword ascii
$s2 = "3!3%3)3-3135393@5" fullword ascii
/* Recommendation - verify the opcodes on Binarly : http://www.binar.ly */
/* Test each of them in the search field & reduce length until it generates matches */
$op0 = { eb 03 89 46 54 47 83 ff 1a 0f 8c 40 ff ff ff 8b }
$op1 = { 8b 46 04 85 c0 74 0f 50 e8 34 fb ff ff 83 66 04 }
$op2 = { c6 45 fc 02 8d 8d 44 ff ff ff e8 d2 2f 00 00 eb }
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and ( all of ($s*) or all of ($op*) ) )
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system caches.
Filter/Exclusion: Exclude processes where the command line contains cleanmgr.exe, diskcleanup.exe, or schtasks /run with known maintenance scripts.
Scenario: Microsoft EquationGroup Tool Usage
Description: A security team or IT admin is using the Microsoft EquationGroup tool (part of the Microsoft Malware Protection Engine) for legitimate threat analysis.
Filter/Exclusion: Exclude processes where the parent process is msmpeng.exe or the command line includes EquationGroup or Microsoft Malware Protection.
Scenario: PowerShell Script for Log Analysis
Description: A system administrator is running a PowerShell script to analyze system logs for security events, which may include parsing files similar to EquationGroup artifacts.
Filter/Exclusion: Exclude processes where the command line includes powershell.exe -Command and the script path is known internal or from a trusted source (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
Scenario: Antivirus Signature Update
Description: An antivirus engine is updating its signature database, which may include files or behavior similar to EquationGroup artifacts.
Filter/Exclusion: Exclude processes where the parent process is mpsvc.exe or the command line includes update or signature keywords.
Scenario: Internal Security Research Tool
Description: A red team or internal security team is using a custom tool for research purposes, which may mimic EquationGroup behavior during testing.
Filter/Exclusion: Exclude processes where the command line includes research, test, or simulate, or where the user is a