The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary use of a sophisticated, previously disclosed malware variant, which may be part of a targeted attack. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats leveraging known but dormant malware.
YARA Rule
rule EquationGroup_Toolset_Apr17_PacketScan_Implant {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "9b97cac66d73a9d268a15e47f84b3968b1f7d3d6b68302775d27b99a56fbb75a"
strings:
$op0 = { e9 ef fe ff ff ff b5 c0 ef ff ff 8d 85 c8 ef ff }
$op1 = { c9 c2 04 00 b8 34 26 00 68 e8 40 05 00 00 51 56 }
$op2 = { e9 0b ff ff ff 8b 45 10 8d 4d c0 89 58 08 c6 45 }
condition:
( uint16(0) == 0x5a4d and filesize < 30KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task running a maintenance script that uses similar command-line syntax or file names as the EquationGroup tool.
Filter/Exclusion: process.name != "schtasks.exe" OR process.name != "task scheduler" or check for known benign command-line arguments.
Scenario: Windows Update or Patching Process
Description: A system update or patching process that temporarily uses files or registry keys similar to those associated with the EquationGroup tool.
Filter/Exclusion: process.name != "wuauclt.exe" OR process.name != "Windows Update" or check for known update-related command-line arguments.
Scenario: Admin User Performing File System Cleanup
Description: An admin user manually cleaning up old or unused files, which may involve deleting or renaming files that match the EquationGroup tool’s file patterns.
Filter/Exclusion: user.name != "Administrator" OR user.name != "root" or check for file system operations with known administrative tasks.
Scenario: Legitimate Security Tool or EDR Agent Activity
Description: A legitimate endpoint detection and response (EDR) agent or security tool performing a scan or integrity check that may trigger the same file or process patterns.
Filter/Exclusion: process.name != "Microsoft Monitoring Agent" OR process.name != "EDR Agent" or check for known security tool command-line arguments.
Scenario: PowerShell Script for Log Analysis or Compliance
Description: A PowerShell script used for log analysis or compliance tasks that may use similar command structures or file paths as the EquationGroup tool.
Filter/Exclusion: process.name != "powershell.exe" OR script.name != "compliance-script.ps1" or check for known PowerShell script patterns.