The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-lived, sophisticated threats that may have evaded traditional detection mechanisms.
YARA Rule
rule EquationGroup_Toolset_Apr17_rc5 {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "69e2c68c6ea7be338497863c0c5ab5c77d5f522f0a84ab20fe9c75c7f81318eb"
strings:
$s1 = "Usage: %s [d|e] session_key ciphertext" fullword ascii
$s2 = "where session_key and ciphertext are strings of hex" fullword ascii
$s3 = "d = decrypt mode, e = encrypt mode" fullword ascii
$s4 = "Bad mode, should be 'd' or 'e'" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and 2 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
Filter/Exclusion: Exclude processes associated with schtasks.exe and check for known maintenance task names (e.g., Cleanup-TempFiles).
Scenario: Admin Performing Disk Cleanup
Description: An administrator using cleanmgr.exe (Disk Cleanup) to remove temporary files or system cache.
Filter/Exclusion: Exclude processes with cleanmgr.exe and check for user context (e.g., Administrator or SYSTEM).
Scenario: Antivirus Scan Using ClamAV
Description: A scheduled antivirus scan using ClamAV, which may trigger file access patterns similar to the EquationGroup tool.
Filter/Exclusion: Exclude processes with clamscan.exe or clamav in the process name, and check for known antivirus directories.
Scenario: Log File Rotation by Logrotate
Description: The logrotate utility rotating log files, which may involve renaming or moving files that resemble malicious activity.
Filter/Exclusion: Exclude processes with logrotate in the command line, and check for log directories (e.g., /var/log/).
Scenario: PowerShell Script for System Monitoring
Description: A legitimate PowerShell script used for system monitoring, such as perfmon or PowerShell.exe running a script to collect system metrics.
Filter/Exclusion: Exclude processes with PowerShell.exe and check for script paths in trusted locations (e.g., C:\Windows\System32\ or C:\Program Files\).