The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary activity leveraging compromised systems for data exfiltration or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be using legacy malware to maintain long-term access.
YARA Rule
rule EquationGroup_Toolset_Apr17_lp_mstcp {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "2ab1e1d23021d887759750a0c053522e9149b7445f840936bbc7e703f8700abd"
strings:
$s1 = "\\Registry\\User\\CurrentUser\\" fullword wide
$s2 = "_PacketNDISRequestComplete@12\"" fullword ascii
$s3 = "_LDNdis5RegDeleteKeys@4" fullword ascii
$op1 = { 89 7e 04 75 06 66 21 46 02 eb }
$op2 = { fc 74 1b 8b 49 04 0f b7 d3 66 83 }
$op3 = { aa 0f b7 45 fc 8b 52 04 8d 4e }
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and ( all of ($s*) or all of ($op*) ) )
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
Filter/Exclusion: Check for ProcessName containing schtasks.exe and CommandLine containing /create or /run with known maintenance task names.
Scenario: Admin Performing Disk Cleanup
Description: An administrator using cleanmgr.exe (Disk Cleanup) to remove temporary files or system cache.
Filter/Exclusion: Filter by ProcessName cleanmgr.exe and exclude processes running from system directories like C:\Windows\System32.
Scenario: Antivirus Scan Using ClamAV
Description: A scheduled antivirus scan using ClamAV, which may temporarily access system files and exhibit similar behavior to the EquationGroup tool.
Filter/Exclusion: Check for ProcessName clamscan.exe or clamav.exe and exclude processes running during known scheduled scan times.
Scenario: Windows Update Cleanup
Description: Windows Update cleanup tasks, such as wusa.exe or dism.exe, may access system files and show similar behavior.
Filter/Exclusion: Filter by ProcessName wusa.exe or dism.exe and check for command-line arguments related to update cleanup, such as /online /cleanup-image /resetbase.
Scenario: PowerShell Script for Log Rotation
Description: A legitimate PowerShell script used for log rotation or file management, which may access and manipulate system files.
Filter/Exclusion: Filter by ProcessName powershell.exe and check for command-line arguments or script paths that are known internal scripts (e.g., `C:\Windows\System32\WindowsPowerShell\v1