Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-lived, stealthy threats that may have evaded traditional detection mechanisms.

YARA Rule

rule EquationGroup_Toolset_Apr17_SetCallback {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "a8854f6b01d0e49beeb2d09e9781a6837a0d18129380c6e1b1629bc7c13fdea2"
   strings:
      $s2 = "*NOTE: This version of SetCallback does not work with PeddleCheap versions prior" fullword ascii
      $s3 = "USAGE: SetCallback <input file> <output file>" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 100KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Legitimate System Update via Windows Update
  Description: A system update from Microsoft’s Windows Update service may include files or registry changes that resemble the EquationGroup tool.
  Filter/Exclusion: Check the file field for WindowsUpdate or Microsoft in the file name or path. Exclude processes initiated by wuauclt.exe or svchost.exe associated with Windows Update.

• Scenario: Scheduled Task for Log Cleanup
  Description: A scheduled task running a log cleanup script (e.g., logclean.exe) may use similar command-line arguments or file paths as the EquationGroup tool.
  Filter/Exclusion: Filter by process.name containing logclean.exe or task scheduler and exclude any activity from known log management tools like logclean.exe or logrotate.

• Scenario: Admin Performing Disk Imaging with FTK Imager
  Description: A system administrator using FTK Imager to create a disk image may trigger the rule due to similar file operations or command-line arguments.
  Filter/Exclusion: Check the process.name for FTKImager.exe or FTKImager and exclude any activity related to disk imaging tools.

• Scenario: Antivirus Scan Using Malwarebytes
  Description: Malwarebytes or other antivirus tools may perform deep scans that involve similar file access patterns or registry modifications.
  Filter/Exclusion: Filter by process.name containing mbam.exe or malwarebytes and exclude any activity from known security tools.

• Scenario: PowerShell Script for Patch Management
  Description: A PowerShell script used for patch management may execute commands that look similar to those used by the EquationGroup tool.
  Filter/Exclusion: Check the process.name for powershell.exe and