Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-standing threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_Mofconfig_1_0_0 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "c67a24fe2380331a101d27d6e69b82d968ccbae54a89a2629b6c135436d7bdb2"
   strings:
      $x1 = "[-] Get RemoteMOFTriggerPath error" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 50KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task using schtasks.exe or Task Scheduler is running a maintenance script that includes base64 encoded data or similar patterns.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or Task Scheduler, and filter out tasks with known maintenance scripts.

• Scenario: Admin Using PowerShell to Decode Base64 Strings
  Description: A system administrator is using PowerShell to decode base64 strings as part of a script or troubleshooting process.
  Filter/Exclusion: Filter events where ProcessName is powershell.exe and the command line includes -EncodedCommand or ConvertTo-Base64.

• Scenario: Legitimate Software Update Process
  Description: A software update process (e.g., using msiexec.exe or wusa.exe) is unpacking or decoding payloads as part of the installation.
  Filter/Exclusion: Filter events where ProcessName is msiexec.exe or wusa.exe, and check for known update packages or hashes.

• Scenario: Log Parsing or Data Extraction Tool
  Description: A log parsing tool (e.g., logparser.exe, PowerShell scripts) is processing logs that contain base64 or encoded data for analysis.
  Filter/Exclusion: Filter events where ProcessName is logparser.exe or powershell.exe and the command line includes log parsing or data extraction keywords.

• Scenario: Internal Security Tool or SIEM Integration
  Description: An internal security tool (e.g., Splunk, ELK, or SIEM) is ingesting or processing data that includes encoded strings as part of its workflow.
  Filter/Exclusion: Filter events where `Process