Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of the EquationGroup tool, specifically the April Leak variant, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to long-term data exfiltration or system control.

YARA Rule

rule EquationGroup_Toolset_Apr17_regprobe {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "99a42440d4cf1186aad1fd09072bd1265e7c6ebbc8bcafc28340b4fe371767de"
   strings:
      $x1 = "Usage: %s targetIP protocolSequence portNo [redirectorIP] [CLSID]" fullword ascii
      $x2 = "key does not exist or pinging w2k system" fullword ascii
      $x3 = "RpcProxy=255.255.255.255:65536" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe and CommandLine containing /create or /delete, or filter by ParentProcessName like TaskScheduler.

• Scenario: Admin Performing Disk Cleanup
  Description: An administrator using cleanmgr.exe (Disk Cleanup tool) to remove temporary files or system cache.
  Filter/Exclusion: Filter by ProcessName cleanmgr.exe and exclude processes with CommandLine containing /d or /s for disk cleanup operations.

• Scenario: PowerShell Script for Log Rotation
  Description: A PowerShell script (powershell.exe) used by the IT team to rotate and archive log files, which may involve file system operations similar to malicious activity.
  Filter/Exclusion: Filter by ProcessName powershell.exe and check for CommandLine containing -Command or -File with known benign scripts or paths in the System32 or Scripts directory.

• Scenario: Antivirus Quarantine Process
  Description: A legitimate process initiated by an antivirus tool (e.g., avgnt.exe, mcafee.exe) to quarantine or remove detected malicious files.
  Filter/Exclusion: Filter by ProcessName containing antivirus tool names and check for ParentProcessName like explorer.exe or svchost.exe associated with security software.

• Scenario: Database Backup Job
  Description: A database backup job initiated by a tool like sqlbackup.exe or mysqldump.exe that involves copying large amounts of data, which may trigger file system activity similar to