Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-lived, stealthy threats that may have evaded traditional detection mechanisms.

YARA Rule

rule EquationGroup_Toolset_Apr17__NameProbe_SMBTOUCH_14 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      super_rule = 1
      hash1 = "fbe3a4501654438f502a93f51b298ff3abf4e4cad34ce4ec0fad5cb5c2071597"
      hash2 = "7da350c964ea43c149a12ac3d2ce4675cedc079ddc10d1f7c464b16688305309"
   strings:
      $s1 = "DEC Pathworks TCPIP service on Windows NT" fullword ascii
      $s2 = "<\\\\__MSBROWSE__> G" fullword ascii
      $s3 = "<IRISNAMESERVER>" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 300KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task (e.g., Task Scheduler or schtasks.exe) runs a script or executable that matches the behavior of the EquationGroup tool.
  Filter/Exclusion: Check the CommandLine field for known maintenance scripts (e.g., schtasks.exe /run /tn "System Maintenance"), and exclude processes with Task Scheduler as the parent process.

• Scenario: Windows Update or Patching Process
  Description: The EquationGroup detection logic may flag a legitimate Windows Update or patching process (e.g., wusa.exe, dism.exe) that is executing a script or tool with similar behavior.
  Filter/Exclusion: Filter processes where the ImageFileName is wusa.exe or dism.exe, or where the ParentProcessName is svchost.exe or taskhost.exe.

• Scenario: Administrative PowerShell Script Execution
  Description: A system administrator runs a PowerShell script (e.g., powershell.exe) that performs file operations or registry modifications similar to the EquationGroup tool.
  Filter/Exclusion: Exclude processes where the CommandLine contains powershell.exe -Command and the script path is known to be from a trusted admin tool (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).

• Scenario: Log File Parsing or Data Extraction Job
  Description: A legitimate job (e.g., logparser.exe, PowerShell script) is extracting data from log files, which may trigger the detection due to file access patterns.
  Filter/Exclusion: Exclude processes where the ImageFileName is logparser.exe or where the FilePath is within a known log directory (e.g., `C