Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of a sophisticated, previously disclosed malware variant, which may be part of a targeted attack. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threats that may have evaded initial detection mechanisms.

YARA Rule

rule EquationGroup_Toolset_Apr17_PC_Level3_Gen {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "c7dd49b98f399072c2619758455e8b11c6ee4694bb46b2b423fa89f39b185a97"
      hash2 = "f6b723ef985dfc23202870f56452581a08ecbce85daf8dc7db4491adaa4f6e8f"
   strings:
      $s1 = "S-%u-%u" fullword ascii
      $s2 = "Copyright (C) Microsoft" fullword wide

      $op1 = { 24 39 65 c6 44 24 3a 6c c6 44 24 3b 65 c6 44 24 }
      $op2 = { 44 24 4e 41 88 5c 24 4f ff }
      $op3 = { 44 24 3f 6e c6 44 24 40 45 c6 44 24 41 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that uses certutil or PowerShell to execute a command that resembles the EquationGroup tool’s behavior.
  Filter/Exclusion: Exclude processes associated with Task Scheduler or tasks with known names like WeeklySystemCheck or DiskCleanup.

• Scenario: Windows Update or Patching Process
  Description: The Windows Update Agent or Microsoft Update process may use certutil or similar tools to verify or apply updates, which could trigger the rule.
  Filter/Exclusion: Exclude processes with parent process svchost.exe and command lines containing wuauclt.exe or wusa.exe.

• Scenario: Admin Performing Certificate Management
  Description: An administrator uses certutil to manage certificates, which is a legitimate activity but may match the detection logic.
  Filter/Exclusion: Exclude processes initiated by users with administrative privileges and where the command line includes certutil -addstore or certutil -viewstore.

• Scenario: PowerShell Script for Log Analysis
  Description: A PowerShell script used for log analysis or compliance checks may use certutil or similar commands, leading to a false positive.
  Filter/Exclusion: Exclude processes with powershell.exe and command lines that include -File or -Command with known internal scripts or log analysis tools.

• Scenario: Antivirus or EDR Tool Scanning
  Description: Security tools like Microsoft Defender or CrowdStrike may use certutil or similar utilities during a scan, which could be mistaken for malicious activity.
  Filter/Exclusion: Exclude processes with known security tool names such as MsMpEng.exe, CsiService.exe, or Mcshield.exe.