Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The detection identifies potential use of the EquationGroup tool, specifically the April Leak variant, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary presence and prevent further compromise.

YARA Rule

rule EquationGroup_Toolset_Apr17_renamer {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "9c30331cb00ae8f417569e9eb2c645ebbb36511d2d1531bb8d06b83781dfe3ac"
   strings:
      $s1 = "FILE_NAME_CONVERSION.LOG" fullword wide
      $s2 = "Log file exists. You must delete it!!!" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 80KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task (e.g., schtasks.exe) is running a maintenance script that includes a file named equationgroup.exe (due to naming overlap or legacy tool).
  Filter/Exclusion: Check the process parent and command line for schtasks.exe or at.exe, and exclude files in known maintenance directories like C:\Windows\System32\Tasks\.

• Scenario: Admin Tool for Log Analysis
  Description: An admin uses a tool like LogParser.exe or PowerShell.exe to analyze logs, and the script or command includes a string matching the EquationGroup signature due to a misconfiguration or false positive in log content.
  Filter/Exclusion: Exclude processes with PowerShell.exe or LogParser.exe when the command line includes log analysis keywords like -input or -file.

• Scenario: Legacy Antivirus Quarantine Scan
  Description: A legacy antivirus tool (e.g., Kaspersky, Bitdefender) performs a quarantine scan and temporarily moves a file named equationgroup.exe into a quarantine folder, triggering the rule.
  Filter/Exclusion: Exclude processes related to antivirus tools (e.g., kavsvc.exe, bdagent.exe) or files in quarantine directories like C:\ProgramData\Kaspersky\Quarantine\.

• Scenario: Software Update or Patch Deployment
  Description: A patching tool like Microsoft Update or WSUS deploys a file that includes a string matching the EquationGroup signature due to a naming conflict or embedded content.
  Filter/Exclusion: Exclude processes related to patching tools (e.g., wuauserv.exe, msiexec.exe) or files in update directories like `C:\Windows