Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats, which may be used for data exfiltration or system persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term compromise of critical systems.

YARA Rule

rule EquationGroup_Toolset_Apr17_RemoteCommand_Lp {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "57b47613a3b5dd820dae59fc6dc2b76656bd578f015f367675219eb842098846"
   strings:
      $s1 = "Failure parsing command from %hs:%u: os=%u plugin=%u" fullword wide
      $s2 = "Unable to get TCP listen port: %08x" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that uses curl or wget to download a file from an internal server, which may trigger the rule due to network activity.
  Filter/Exclusion: Exclude traffic to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or filter by known internal file servers.

• Scenario: Admin Performing Software Update via PowerShell
  Description: An administrator uses PowerShell to download and install a software update from a trusted internal repository, which may be flagged due to the use of Invoke-WebRequest or Start-Process.
  Filter/Exclusion: Exclude PowerShell scripts executed by users with the “Domain Admins” group or filter by known update servers (e.g., update.example.com).

• Scenario: Log Collection Agent Using curl
  Description: A log aggregation tool like Fluentd or Logstash uses curl to send logs to a central logging server, which may be misidentified as malicious activity.
  Filter/Exclusion: Exclude traffic to known log servers (e.g., logserver.example.com) or filter by process names like fluentd or logstash.

• Scenario: Database Backup Job Using rsync or scp
  Description: A database backup job runs nightly using rsync or scp to transfer data between servers, which may trigger the rule due to file transfer activity.
  Filter/Exclusion: Exclude traffic to backup servers (e.g., backup.example.com) or filter by process names like rsync or scp.

• **Scenario: User Downloading