Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of sophisticated, legacy malware that may persist undetected in the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that may evade traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_SendPKTrigger {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "2f9c7a857948795873a61f4d4f08e1bd0a41e3d6ffde212db389365488fa6e26"
   strings:
      $x1 = "----====**** PORT KNOCK TRIGGER BEGIN ****====----" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 300KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Legitimate system update using msiexec.exe
  Description: A scheduled system update or patch deployment using Microsoft Installer (msiexec.exe) may trigger the rule due to its execution context.
  Filter/Exclusion: Exclude processes where msiexec.exe is used with the /i flag and the file path contains known Microsoft update packages (e.g., Windows6.1-KB...).

• Scenario: Scheduled backup job using vssadmin.exe
  Description: Volume Shadow Copy Service (vssadmin.exe) is often used in backup processes and may be flagged due to its association with EquationGroup.
  Filter/Exclusion: Exclude processes where vssadmin.exe is executed with the create or delete command and the target volume is a known backup volume (e.g., D:\Backup).

• Scenario: Admin task using taskhost.exe for scheduled tasks
  Description: The Task Scheduler service (taskhost.exe) is commonly used for running administrative tasks, which may be mistaken for malicious activity.
  Filter/Exclusion: Exclude processes where taskhost.exe is associated with known legitimate scheduled tasks (e.g., Task Scheduler or Windows Defender tasks).

• Scenario: Logon script execution via cmd.exe
  Description: User logon scripts executed via cmd.exe may trigger the rule if they involve command-line execution that resembles EquationGroup behavior.
  Filter/Exclusion: Exclude processes where cmd.exe is launched from a known user profile directory (e.g., C:\Users\%username%\AppData\) and the command line is associated with standard logon scripts.

• Scenario: Network discovery using nmap.exe
  Description: Network reconnaissance tools like nmap.exe may be