Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary activity leveraging a known malware tool associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated adversaries using legacy or repurposed malware.

YARA Rule

rule EquationGroup_Toolset_Apr17_put_Implant9x {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "8fcc98d63504bbacdeba0c1e8df82f7c4182febdf9b08c578d1195b72d7e3d5f"
   strings:
      $s1 = "3&3.3<3A3F3K3V3c3m3" fullword ascii

      $op1 = { c9 c2 08 00 b8 72 1c 00 68 e8 c9 fb ff ff 51 56 }
      $op2 = { 40 1b c9 23 c8 03 c8 38 5d 14 74 05 6a 03 58 eb }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 20KB and 2 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task using schtasks.exe or Task Scheduler is running a maintenance script that includes base64 encoded data or similar patterns.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or Task Scheduler, and filter out tasks with known maintenance scripts (e.g., WindowsUpdate or DiskDefragmenter).

• Scenario: Admin Using PowerShell for Configuration Management
  Description: An admin is using PowerShell (powershell.exe) to configure system settings, and the script includes base64 encoded strings for obfuscation.
  Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for known admin scripts or modules (e.g., PSConfig, PSDsc).

• Scenario: Log File Parsing or Data Extraction Job
  Description: A job using logparser.exe or a custom script is parsing log files and extracting base64 encoded data for analysis.
  Filter/Exclusion: Filter by ProcessName containing logparser.exe or check for file paths related to log directories (e.g., C:\Windows\System32\LogFiles).

• Scenario: Software Update or Patch Deployment
  Description: A legitimate patch deployment tool (e.g., Windows Update, Microsoft Endpoint Manager) is executing a script that includes base64 encoded payloads for patching.
  Filter/Exclusion: Filter by ProcessName containing wusa.exe, msiexec.exe, or check for known update-related processes.

• Scenario: Database Backup or Restore Operation
  Description: A database backup or restore operation using sqlcmd.exe or mysqldump includes base64 encoded data in the script for encryption or compression.