Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-lived, sophisticated threats that may have evaded traditional detection mechanisms.

YARA Rule

rule EquationGroup_Toolset_Apr17_Namedpipetouch_2_0_0 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "cb5849fcbc473c7df886828d225293ffbd8ee58e221d03b840fd212baeda6e89"
      hash2 = "043d1c9aae6be65f06ab6f0b923e173a96b536cf84e57bfd7eeb9034cd1df8ea"
   strings:
      $s1 = "[*] Summary: %d pipes found" fullword ascii
      $s3 = "[+] Testing %d pipes" fullword ascii
      $s6 = "[-] Error on SMB startup, aborting" fullword ascii
      $s12 = "92a761c29b946aa458876ff78375e0e28bc8acb0" fullword ascii

      $op1 = { 68 10 10 40 00 56 e8 e1 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 40KB and 2 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled system maintenance or patching using PowerShell scripts
  Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%-File%'
  Rationale: Legitimate maintenance tasks may use PowerShell, but excluding scripts that are not explicitly invoked via -File can help reduce false positives.

• Scenario: Running Windows Task Scheduler jobs that execute EquationGroup-related payloads (e.g., mshta.exe, cmd.exe)
  Filter/Exclusion: process.parent.name != "schtasks.exe" OR process.name NOT IN ("mshta.exe", "cmd.exe")
  Rationale: Scheduled jobs may trigger similar behavior, but filtering by parent process or known legitimate tools can help distinguish between benign and malicious activity.

• Scenario: Microsoft Endpoint Protection (EPP) or Windows Defender performing a scan using MsMpEng.exe
  Filter/Exclusion: process.name != "MsMpEng.exe" OR process.parent.name != "services.exe"
  Rationale: Antivirus scans may trigger similar process behaviors, but excluding known security processes can help avoid false positives.

• Scenario: Windows Update or System File Checker (sfc.exe) running in the background
  Filter/Exclusion: process.name != "sfc.exe" OR process.name != "wuauclt.exe"
  Rationale: System maintenance tasks like Windows Update or SFC may exhibit similar process behaviors to the EquationGroup tool.

• Scenario: Remote Desktop Services (RDP) session activity or Group Policy Object (GPO) processing using gpupdate.exe
  Filter/Exclusion: process.name != "gpupdate.exe" OR process.parent.name != "services.exe"
  Rationale: GPO updates or