Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of a sophisticated, legacy malware family that may be used for long-term persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_Oracle_Implant {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "8e9be4960c62ed7f210ce08f291e410ce0929cd3a86fe70315d7222e3df4587e"
   strings:
      $op0 = { fe ff ff ff 48 89 9c 24 80 21 00 00 48 89 ac 24 }
      $op1 = { e9 34 11 00 00 b8 3e 01 00 00 e9 2a 11 00 00 b8 }
      $op2 = { 48 8b ca e8 bf 84 00 00 4c 8b e0 8d 34 00 44 8d }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 500KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled system maintenance or patching using PowerShell scripts
  Filter/Exclusion: process.name != "powershell.exe" or process.name == "powershell.exe" && process.args contains "Update-Module" or "Install-Module"

• Scenario: Legitimate use of Wireshark for network analysis
  Filter/Exclusion: process.name != "wireshark.exe" or process.name == "wireshark.exe" && process.args contains "capture" or "filter"

• Scenario: Admin task involving Windows Task Scheduler to run a legitimate script
  Filter/Exclusion: process.name != "schtasks.exe" or process.name == "schtasks.exe" && process.args contains "/create" or "/run"

• Scenario: Use of Sysmon (Syslog Monitor) for log analysis
  Filter/Exclusion: process.name != "sysmon.exe" or process.name == "sysmon.exe" && process.args contains "config" or "log"

• Scenario: Deployment of Chef or Puppet configuration management tools
  Filter/Exclusion: process.name != "chef-client.exe" or process.name != "puppet.exe" or process.name == "chef-client.exe" && process.args contains "run" or "apply"