Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary activity leveraging compromised credentials or internal access to exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches from advanced persistent threats.

YARA Rule

rule EquationGroup_Toolset_Apr17_promiscdetect_safe {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "6070d8199061870387bb7796fb8ccccc4d6bafed6718cbc3a02a60c6dc1af847"
   strings:
      $s1 = "running on this computer!" fullword ascii
      $s2 = "- Promiscuous (capture all packets on the network)" fullword ascii
      $s3 = "Active filter for the adapter:" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 80KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Legitimate System Update via Windows Update
  Description: A system update from Microsoft’s Windows Update service may trigger the rule due to similar file names or hashes.
  Filter/Exclusion: Check the process name and parent process. Exclude processes with svchost.exe or wuauclt.exe and verify the file path starts with C:\Windows\ or C:\Windows\System32\.

• Scenario: Scheduled Job Running PowerShell Script
  Description: A legitimate scheduled job using PowerShell to perform system maintenance or configuration management may match the rule’s behavior.
  Filter/Exclusion: Filter by ProcessName = powershell.exe and check for CommandLine containing -File or -Command with known internal scripts. Exclude jobs with Task Scheduler as the parent process.

• Scenario: Admin Performing Disk Cleanup or File System Scan
  Description: A system administrator running a disk cleanup or file system integrity scan (e.g., using cleanmgr.exe or sfc /scannow) may trigger the rule.
  Filter/Exclusion: Exclude processes with cleanmgr.exe, sfc.exe, or dism.exe. Check for presence of C:\Windows\System32\ in the file path.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A real-time scan by an antivirus or endpoint protection tool (e.g., Microsoft Defender, CrowdStrike, or Palo Alto) may generate similar behavior.
  Filter/Exclusion: Exclude processes with mpcmdrun.exe, MsMpEng.exe, or Mcshield.exe. Verify the file path starts with the antivirus installation directory.

• Scenario: Legitimate Use of WMI or CIM Providers
  Description: A system administrator using Windows Management Instrumentation (WMI) or Common Information Model (C