The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of sophisticated, legacy malware that may be part of a long-term persistence or data exfiltration campaign. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threats that may have evaded traditional detection methods.
YARA Rule
rule EquationGroup_Toolset_Apr17_RemoteExecute_Implant {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "770663c07c519677316934cf482e500a73540d9933342c425f3e56258e6e6d8b"
strings:
$op1 = { 53 00 63 00 68 00 65 00 64 00 75 00 6C 00 65 00
00 00 00 00 53 00 65 00 72 00 76 00 69 00 63 00
65 00 73 00 41 00 63 00 74 00 69 00 76 00 65 00
00 00 00 00 FF FF FF FF 00 00 00 00 B0 17 00 68
5C 00 70 00 69 00 70 00 65 00 5C 00 53 00 65 00
63 00 6F 00 6E 00 64 00 61 00 72 00 79 00 4C 00
6F 00 67 00 6F 00 6E 00 00 00 00 00 5C 00 00 00
57 00 69 00 6E 00 53 00 74 00 61 00 30 00 5C 00
44 00 65 00 66 00 61 00 75 00 6C 00 74 00 00 00
6E 00 63 00 61 00 63 00 6E 00 5F 00 6E 00 70 00
00 00 00 00 5C 00 70 00 69 00 70 00 65 00 5C 00
53 00 45 00 43 00 4C 00 4F 00 47 00 4F 00 4E }
condition:
( uint16(0) == 0x5a4d and filesize < 40KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe or Task Scheduler runs a script or executable that matches the behavior of the EquationGroup tool.
Filter/Exclusion: Check the CommandLine field for known maintenance scripts or paths like C:\Windows\System32\sched.exe or C:\Windows\tasks\*.job.
Scenario: Antivirus or EDR Scan
Description: A security tool like Microsoft Defender or CrowdStrike Falcon performs a scan and temporarily executes a script or binary that resembles EquationGroup behavior.
Filter/Exclusion: Filter by ProcessName to exclude known security tools (e.g., MsMpEng.exe, falcon.exe, mpsvc.exe).
Scenario: PowerShell Script Execution for Patching
Description: A legitimate PowerShell script (e.g., using powershell.exe) is executed by an admin to apply patches or updates, and the script includes commands that match the EquationGroup detection logic.
Filter/Exclusion: Use a filter on ProcessName to exclude powershell.exe or check the CommandLine for known patching scripts (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command ...).
Scenario: Logon Script Execution
Description: A user logon script (e.g., via Group Policy) runs a batch or PowerShell script that includes commands matching the EquationGroup tool’s behavior.
Filter/Exclusion: Filter by ProcessName to exclude cmd.exe or powershell.exe when executed from known logon script paths (e.g., C:\Windows\System32\logon.bat).
Scenario: Database Backup Job
Description: A