Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-lived, sophisticated threats that may have evaded traditional detection mechanisms.

YARA Rule

rule EquationGroup_Toolset_Apr17_scanner {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "f180bdb247687ea9f1b58aded225d5c80a13327422cd1e0515ea891166372c53"
   strings:
      $x1 = "+daemon_version,system,processor,refid,clock" fullword ascii
      $x2 = "Usage: %s typeofscan IP_address" fullword ascii
      $x3 = "# scanning ip  %d.%d.%d.%d" fullword ascii
      $x4 = "Welcome to the network scanning tool" fullword ascii
      $x5 = "***** %s ***** (length %d)" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 90KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as sfc /scannow or DISM, is executed by the System or Local Administrator account.
  Filter/Exclusion: Exclude processes initiated by SYSTEM or NT AUTHORITY\LocalService with command lines containing sfc, DISM, or dism.exe.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A security tool like Windows Defender, Bitdefender, or CrowdStrike performs a full system scan, triggering the rule due to similar file or process activity.
  Filter/Exclusion: Exclude processes with parent process names like WindowsDefender.exe, Bitdefender.exe, or crowdstrike.exe.

• Scenario: PowerShell Script for Log Analysis
  Description: A legitimate PowerShell script, such as one used for log analysis or compliance checks, is executed by an admin and matches the rule’s heuristic.
  Filter/Exclusion: Exclude processes with command lines containing powershell.exe and parent processes like cmd.exe or task scheduler.

• Scenario: Software Update Deployment via SCCM
  Description: A Software Center or SCCM (System Center Configuration Manager) task deploys updates, and the rule mistakenly flags the update installation as malicious activity.
  Filter/Exclusion: Exclude processes with parent process names like SCCMClient.exe or ccmexec.exe, and command lines containing update, patch, or install.

• Scenario: Database Backup Job Execution
  Description: A scheduled SQL Server backup job runs, and the rule flags the backup process due to similar behavior to the EquationGroup tool.
  Filter/Exclusion: Exclude processes with parent process names like sqlservr.exe or sqlbackup.exe, and command lines containing