Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of sophisticated, legacy malware associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term, stealthy threats that may have established persistence within the network.

YARA Rule

rule EquationGroup_Toolset_Apr17_Rpctouch_2_1_0 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "7fe4c3cedfc98a3e994ca60579f91b8b88bf5ae8cf669baa0928508642c5a887"
   strings:
      $x1 = "[*] Failed to detect OS / Service Pack on %s:%d" fullword ascii
      $x2 = "[*] SMB String: %s (%s)" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 80KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task (e.g., schtasks.exe) runs a script that includes base64-encoded content, which triggers the rule.
  Filter/Exclusion: Exclude processes associated with schtasks.exe or filter by command line containing --maintenance or --system.

• Scenario: Admin Using PowerShell to Decode Base64 Data
  Description: An administrator uses powershell.exe to decode base64 data as part of a legitimate troubleshooting or data extraction task.
  Filter/Exclusion: Exclude processes where the command line includes ConvertFrom-String or Invoke-Command with known admin tools.

• Scenario: Log Parsing Tool Processing Base64 Encoded Logs
  Description: A log parsing tool (e.g., logparser.exe or splunk.exe) processes base64-encoded log entries as part of its normal operation.
  Filter/Exclusion: Exclude processes associated with log parsing tools or filter by command line containing base64 or decode.

• Scenario: Antivirus or EDR Tool Performing Safe Base64 Decoding
  Description: An EDR tool (e.g., Microsoft Defender ATP, CrowdStrike, or SentinelOne) uses base64 decoding as part of its threat detection or analysis process.
  Filter/Exclusion: Exclude processes from known EDR/AV vendors or filter by command line containing analysis, scan, or threat.

• Scenario: DevOps Pipeline Using Base64 for Secure Credential Storage
  Description: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) uses base64 encoding to store credentials in environment variables or configuration files.
  Filter/Exclusion: Exclude processes from known DevOps tools or