The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary use of a sophisticated, previously disclosed malware variant, which may be part of a targeted attack. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats leveraging known but potentially reactivated malware.
YARA Rule
rule EquationGroup_Toolset_Apr17_Processes_Target {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "69cf7643dbecc5f9b4b29edfda6c0295bc782f0e438f19be8338426f30b4cc74"
strings:
$s1 = "Select * from Win32_Process" fullword ascii
$s3 = "\\\\%ls\\root\\cimv2" fullword wide
$s5 = "%4ls%2ls%2ls%2ls%2ls%2ls.%11l[0-9]%1l[+-]%6s" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and 2 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task (e.g., schtasks.exe) is running a maintenance script that uses certutil or powershell.exe to update certificates or system files.
Filter/Exclusion: Check for ProcessName = "schtasks.exe" or CommandLine contains "schtasks /create" and exclude based on known maintenance task names or IDs.
Scenario: PowerShell Script for Certificate Renewal
Description: A PowerShell script (e.g., certutil.exe or Import-Certificate) is used to renew or import SSL certificates, which may trigger the rule due to similar command-line patterns.
Filter/Exclusion: Filter by ProcessName = "powershell.exe" and check for CommandLine contains "Import-Certificate" or "certutil -addstore" with known certificate authorities.
Scenario: Admin Performing System File Integrity Check
Description: An administrator is using tools like sfc.exe or dism.exe to scan and repair system files, which may generate similar command-line activity to the EquationGroup tool.
Filter/Exclusion: Filter by ProcessName = "sfc.exe" or "dism.exe" and exclude based on known administrative tasks or system health checks.
Scenario: Antivirus or EDR Tool Scanning for Malware
Description: A security tool like Microsoft Defender or CrowdStrike Falcon is performing a scan and uses certutil or similar utilities to verify signatures, triggering the rule.
Filter/Exclusion: Check for ProcessName = "MsMpEng.exe" or "Falcon.exe" and exclude based on known security tool processes or scheduled scan times.
Scenario: Legacy System Migration or Decommissioning
Description: A legacy system is being