Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of the EquationGroup Tool, specifically the April Leak variant, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by sophisticated adversaries leveraging known malware artifacts.

YARA Rule

rule EquationGroup_Toolset_Apr17_RemoteExecute_Target {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "4a649ca8da7b5499821a768c650a397216cdc95d826862bf30fcc4725ce8587f"
   strings:
      $s1 = "Win32_Process" fullword ascii
      $s2 = "\\\\%ls\\root\\cimv2" fullword wide

      $op1 = { 83 7b 18 01 75 12 83 63 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Legitimate System Update via Windows Update
  Description: A system update from Microsoft’s Windows Update service may trigger the rule due to similar network behavior.
  Filter/Exclusion: Check for the presence of msupdate.exe or wuauclt.exe in the process tree, and filter by the source IP of Microsoft’s update servers (e.g., 52.166.21.133).

• Scenario: Scheduled Job Running PowerShell Script for Compliance
  Description: A scheduled task using PowerShell to run compliance checks (e.g., Invoke-Command or Test-NetConnection) may match the rule’s behavioral patterns.
  Filter/Exclusion: Filter by process name powershell.exe and check for known compliance scripts or paths like C:\Windows\System32\WindowsPowerShell\v1.0\ or C:\Program Files\Microsoft\Windows Defender\.

• Scenario: Admin Performing Remote Desktop Session
  Description: A legitimate remote desktop session (e.g., using mstsc.exe) may exhibit similar network activity to the EquationGroup tool.
  Filter/Exclusion: Filter by process name mstsc.exe and check for the presence of rdpclip.exe or tsclient.exe, and verify the source IP against known internal network ranges.

• Scenario: Antivirus or EDR Tool Performing Scan
  Description: Antivirus or EDR tools (e.g., mpcmdrun.exe from Microsoft Defender, mcafee.exe from McAfee) may trigger the rule due to similar network or file system activity.
  Filter/Exclusion: Filter by process name of known security tools and check for the presence of their respective service names or registry keys (e.g., Microsoft Defender Antivirus).

• **Scenario: Legitimate