The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that may have evaded traditional detection methods.
YARA Rule
rule EquationGroup_Toolset_Apr17_ParseCapture {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "c732d790088a4db148d3291a92de5a449e409704b12e00c7508d75ccd90a03f2"
strings:
$x1 = "* Encrypted log found. An encryption key must be provided" fullword ascii
$x2 = "encryptionkey = e.g., \"00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff\"" fullword ascii
$x3 = "Decrypting with key '%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x'" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 50KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses certutil or certreq to manage certificates, which may resemble the EquationGroup tool’s behavior.
Filter/Exclusion: Exclude processes associated with schtasks.exe or tasks with known maintenance names (e.g., MaintenanceTask, CertUpdate).
Scenario: Windows Update or Group Policy Deployment
Description: A Group Policy update or Windows Update process may execute scripts or use tools like msiexec or gpupdate.exe that could trigger the rule due to similar command-line arguments.
Filter/Exclusion: Exclude processes initiated by wuauclt.exe, msiexec.exe, or tasks with GroupPolicy in the name.
Scenario: PowerShell Script for Certificate Management
Description: A PowerShell script used by the IT department to manage certificates or trust policies may use certutil or Import-Certificate, which could match the detection logic.
Filter/Exclusion: Exclude processes with powershell.exe where the script path includes known IT tooling directories (e.g., C:\ITTools\, C:\Scripts\).
Scenario: Admin Tool for Certificate Authority (CA) Operations
Description: An admin tool like certsrv.exe (used by Windows Server Certificate Authority) may execute commands that resemble the EquationGroup tool’s behavior.
Filter/Exclusion: Exclude processes initiated by certsrv.exe or running under the NT AUTHORITY\NetworkService account.
Scenario: Third-Party Software Installation or Patching
Description: A third-party application or patching tool (e.g., Microsoft Endpoint Configuration Manager, SCCM, or a vendor-specific tool) may use certutil or similar commands during installation.