The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary activity leveraging historical malware artifacts, which may be used for initial compromise or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term threats that may have evaded traditional detection methods.
YARA Rule
rule EquationGroup_Toolset_Apr17_Mcl_NtMemory_Std {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "087db4f2dbf8e0679de421fec8fb2e6dd50625112eb232e4acc1408cc0bcd2d7"
strings:
$op1 = { 44 24 37 50 c6 44 24 38 72 c6 44 }
$op2 = { 44 24 33 6f c6 44 24 34 77 c6 }
$op3 = { 3b 65 c6 44 24 3c 73 c6 44 24 3d 73 c6 44 24 3e }
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate System Update via Windows Server Update Services (WSUS)
Description: A Windows server receives a legitimate system update via WSUS, which may include files or registry changes that resemble the EquationGroup tool.
Filter/Exclusion: Check the EventID for Windows Update events (e.g., EventID=6006 for event log updates) and filter by ProcessName containing wusa.exe or svchost.exe with known WSUS-related hashes.
Scenario: Scheduled Job Running Microsoft Baseline Security Analyzer (MSBAS)
Description: A scheduled job runs MSBAS to scan for security updates, which may generate similar network or file activity to the EquationGroup tool.
Filter/Exclusion: Filter by ProcessName containing msbas.exe or msiexec.exe, and check the CommandLine for MSBAS-specific arguments like /scan.
Scenario: Admin Performing File System Integrity Check with DISM
Description: An administrator uses DISM to repair system image files, which may involve file system operations that could be mistaken for EquationGroup activity.
Filter/Exclusion: Filter by ProcessName containing dism.exe and check the CommandLine for /online /checkhealth or /online /scanhealth.
Scenario: Legitimate Use of PowerShell for System Maintenance
Description: A system administrator uses PowerShell scripts for routine maintenance tasks, which may include registry or file modifications that match the EquationGroup detection logic.
Filter/Exclusion: Filter by ProcessName containing powershell.exe and check the CommandLine for known admin scripts or use of Get-ChildItem/Get-Service with specific paths.
Scenario: Antivirus or Endpoint Protection Scan
Description: A legitimate antivirus