Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_PC_Level3_http_exe {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "3e855fbea28e012cd19b31f9d76a73a2df0eb03ba1cb5d22aafe9865150b020c"
   strings:
      $s1 = "Copyright (C) Microsoft" fullword wide

      $op1 = { 24 39 65 c6 44 24 3a 6c c6 44 24 3b 65 c6 44 24 }
      $op2 = { 44 24 4e 41 88 5c 24 4f ff }
      $op3 = { 44 24 3f 6e c6 44 24 40 45 c6 44 24 41 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 400KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe and CommandLine containing /create or /run with known maintenance scripts.

• Scenario: Windows Update or Patching Process
  Description: The Windows Update service (wuauserv) or wuauclt.exe executing updates or patches, which may trigger similar behavior to the EquationGroup tool.
  Filter/Exclusion: Filter by ProcessName containing wuauclt.exe or wuauserv, and exclude processes running from system directories like C:\Windows\.

• Scenario: Admin Tool for Log Analysis
  Description: An admin tool like logman.exe or eventvwr.exe being used to collect or analyze event logs, which may resemble data exfiltration patterns.
  Filter/Exclusion: Exclude processes with ProcessName matching logman.exe or eventvwr.exe, or filter by CommandLine containing log analysis keywords.

• Scenario: Network Monitoring Tool Execution
  Description: A network monitoring tool such as tcpview.exe or Wireshark.exe being used to inspect network traffic, which may trigger the rule due to similar network activity.
  Filter/Exclusion: Exclude processes with ProcessName matching tcpview.exe, Wireshark.exe, or nscd.exe, and filter by user context (e.g., only administrators).

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate antivirus tool like mpcmdrun.exe (Microsoft Defender) or avgscan.exe performing a full system scan, which