Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The detection identifies potential use of the EquationGroup tool, specifically the April Leak variant, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary presence and potential data exfiltration.

YARA Rule

rule EquationGroup_Toolset_Apr17_ntevt {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "4254ee5e688fc09bdc72bcc9c51b1524a2bb25a9fb841feaf03bc7ec1a9975bf"
   strings:
      $x1 = "c:\\ntevt.pdb" fullword ascii

      $s1 = "ARASPVU" fullword ascii

      $op1 = { 41 5a 41 59 41 58 5f 5e 5d 5a 59 5b 58 48 83 c4 }
      $op2 = { f9 48 03 fa 48 33 c0 8a 01 49 03 c1 49 f7 e0 88 }
      $op3 = { 01 41 f6 e0 49 03 c1 88 01 48 33 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 700KB and $x1 or 3 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system caches.
  Filter/Exclusion: Exclude processes associated with schtasks.exe or processes running from the system’s scheduled tasks directory (e.g., C:\Windows\Tasks\).

• Scenario: Microsoft Equation Editor Usage
  Description: A user is using the Microsoft Equation Editor (part of Microsoft Office) to create mathematical equations in a document.
  Filter/Exclusion: Exclude processes related to eqnedit.exe or any processes running from the Office installation directory (e.g., C:\Program Files\Microsoft Office\).

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A security tool like Microsoft Defender or Bitdefender is performing a full system scan, which may involve scanning files associated with the EquationGroup tool.
  Filter/Exclusion: Exclude processes associated with antivirus tools (e.g., MsMpEng.exe, bdagent.exe) or processes running from the antivirus installation directory.

• Scenario: PowerShell Script for System Monitoring
  Description: A system administrator is running a PowerShell script (e.g., powershell.exe) to monitor system logs or performance metrics, which may involve parsing files that resemble EquationGroup artifacts.
  Filter/Exclusion: Exclude processes launched via PowerShell with specific command-line arguments (e.g., -Command or -File) or processes running from the system’s monitoring scripts directory.

• Scenario: Legacy Software Compatibility Check
  Description: A legacy application or compatibility tool is being run to ensure older software works correctly on the current system, which may involve checking for specific file signatures or behaviors.
  Filter/Exclusion: Exclude processes associated with compatibility tools (e.g., `CompatTel