Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary activity leveraging a known malware variant associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated adversaries exploiting legacy or dormant threats.

YARA Rule

rule EquationGroup_Toolset_Apr17_pwd_Implant {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "ee72ac76d82dfec51c8fbcfb5fc99a0a45849a4565177e01d8d23a358e52c542"
   strings:
      $s1 = "7\"7(7/7>7O7]7o7w7" fullword ascii

      $op1 = { 40 50 89 44 24 18 FF 15 34 20 00 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 20KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Legitimate System Update via Windows Update
  Description: A system update from Microsoft’s Windows Update may include files or registry changes that resemble the EquationGroup tool.
  Filter/Exclusion: Check the file_name or process_name for known Windows Update components (e.g., wuauclt.exe, wusa.exe) or use a process_parent filter to identify updates initiated by svchost.exe or taskhost.exe.

• Scenario: Scheduled Job Running Microsoft Baseline Security Analyzer (MSBAS)
  Description: The MSBAS tool (now deprecated) is used for security assessments and may generate similar artifacts to the EquationGroup tool.
  Filter/Exclusion: Filter by process_name for mbsa.exe or check the command_line for mbsa or securitybaseline keywords.

• Scenario: Admin Task Using PowerShell for System Configuration
  Description: Administrators may use PowerShell scripts to modify system configurations, which can create similar file or registry changes as the EquationGroup tool.
  Filter/Exclusion: Use a process_name filter for powershell.exe and check the command_line for known admin tasks (e.g., Set-ItemProperty, Get-ChildItem).

• Scenario: Legitimate Use of Microsoft Sysinternals Tools
  Description: Tools like Process Explorer or Process Monitor from Microsoft Sysinternals may generate similar process or file activity as the EquationGroup tool.
  Filter/Exclusion: Filter by process_name for procexp.exe, procmon.exe, or handle.exe, or check the file_path for known Sysinternals directories (e.g., C:\Program Files (x86)\Sysinternals).

• **Scenario: Antivirus or Endpoint