Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary activity leveraging a known malware variant associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated adversaries exploiting legacy or dormant malware.

YARA Rule

rule EquationGroup_Toolset_Apr17_Regread_1_1_1 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "722f034ba634f45c429c7dafdbff413c08976b069a6b30ec91bfa5ce2e4cda26"
   strings:
      $s1 = "[+] Connected to the Registry Service" fullword ascii
      $s2 = "f08d49ac41d1023d9d462d58af51414daff95a6a" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 80KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as sfc /scannow or DISM, is executed by the System or Administrator account.
  Filter/Exclusion: Exclude processes initiated by System or Administrator accounts with command lines containing sfc, DISM, or dism.exe.

• Scenario: Microsoft EquationGroup Tool (Legacy Tool)
  Description: The actual EquationGroup tool (from the April 2017 leak) is being executed as part of a legacy security assessment or forensic analysis.
  Filter/Exclusion: Exclude processes with the exact file name EquationGroupTool.exe or EquationGroupTool_v1.0.exe and associated hashes from the known benign EquationGroup tool.

• Scenario: PowerShell Script for Log Analysis
  Description: A PowerShell script is running to analyze logs or perform system diagnostics, using the same command-line arguments as the malicious tool.
  Filter/Exclusion: Exclude processes with powershell.exe and command lines containing -Command or -File that reference known internal log analysis scripts.

• Scenario: Admin Task for Patch Deployment
  Description: A patch deployment or update task is being executed using tools like Windows Update or Group Policy, which may trigger similar command-line patterns.
  Filter/Exclusion: Exclude processes initiated by Local System or Administrator with command lines containing wuauclt.exe, gpupdate.exe, or wusa.exe.

• Scenario: Third-Party Security Tool Scan
  Description: A third-party security tool, such as CrowdStrike or SentinelOne, is performing a scan or integrity check, which may generate similar network or file activity.
  Filter/Exclusion: Exclude processes with known security tool names (e.g.,