Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary activity leveraging a known malicious tool, which may be used for data exfiltration or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threats that may have already infiltrated the environment.

YARA Rule

rule EquationGroup_Toolset_Apr17_PC_Legacy_dll {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "0cbc5cc2e24f25cb645fb57d6088bcfb893f9eb9f27f8851503a1b33378ff22d"
   strings:
      $op1 = { 45 f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 }
      $op2 = { 49 c6 45 e1 73 c6 45 e2 57 c6 45 e3 }
      $op3 = { 34 c6 45 e7 50 c6 45 e8 72 c6 45 e9 6f c6 45 ea }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that uses certutil or PowerShell to manipulate certificates, which may trigger the rule.
  Filter/Exclusion: Check for CommandLine containing "schtasks" or "ScheduleTask", or filter by ProcessName like schtasks.exe or TaskScheduler.

• Scenario: Certificate Authority (CA) Certificate Renewal
  Description: The enterprise’s internal CA regularly renews certificates using tools like certutil or certsrv, which may resemble the EquationGroup behavior.
  Filter/Exclusion: Filter by ProcessName like certutil.exe or certsrv.exe, or check for CommandLine containing "renew" or "request".

• Scenario: PowerShell Script for System Configuration
  Description: A sysadmin runs a PowerShell script that uses certutil or Import-Certificate to configure system certificates, which may be flagged by the rule.
  Filter/Exclusion: Filter by ProcessName like powershell.exe and check for CommandLine containing "Import-Certificate" or "certutil".

• Scenario: Antivirus or Endpoint Protection Scan
  Description: An endpoint protection tool like Bitdefender or Kaspersky may use certutil or similar commands during a scan, triggering the rule.
  Filter/Exclusion: Filter by ProcessName like bitdefender.exe, kavservice.exe, or avgnt.exe, or check for CommandLine containing "scan" or "update".

• Scenario: Windows Update or Group Policy Deployment
  Description: Windows Update or Group Policy Client services may use certificate-related commands during deployment, which could be mistaken for EquationGroup activity.
  *Filter/Exclusion