Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_PC_LP {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "3a505c39acd48a258f4ab7902629e5e2efa8a2120a4148511fe3256c37967296"
   strings:
      $s1 = "* Failed to get connection information.  Aborting launcher!" fullword wide
      $s2 = "Format: <command> <target port> [lp port]" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup job, may trigger the rule due to similar process names or behavior.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe with known maintenance job names (e.g., Cleanup-System-Logs or DiskDefrag).

• Scenario: Microsoft Equation Editor Usage
  Description: The EquationGroup tool may be confused with the Microsoft Equation Editor (eqnedit.exe), which is used in some enterprise environments for document formatting.
  Filter/Exclusion: Exclude processes with the full path C:\Windows\System32\eqnedit.exe or processes initiated by mspaint.exe or wordpad.exe.

• Scenario: Admin User Performing File Integrity Check
  Description: An admin user may be using tools like PowerShell.exe or certutil.exe to verify file integrity or check system files, which could resemble malicious activity.
  Filter/Exclusion: Exclude processes initiated by users with the Administrators group and running from trusted locations (e.g., C:\Windows\System32\ or C:\Windows\Temp\).

• Scenario: Legacy Antivirus Scan
  Description: Some legacy antivirus tools, such as avgnt.exe or mcafee.exe, may perform file scanning that could trigger the rule due to similar process behavior.
  Filter/Exclusion: Exclude processes with known antivirus vendor names or running from their respective installation directories (e.g., C:\Program Files\AVG\ or C:\Program Files\McAfee\).

• Scenario: Windows Update or Patching Job
  Description: Windows Update or patching jobs, initiated by wusa.exe or `d