The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-lived, stealthy threats that may have evaded traditional detection mechanisms.
YARA Rule
rule EquationGroup_Toolset_Apr17_SetCallbackPorts {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "16f66c2593665c2507a78f96c0c2a9583eab0bda13a639e28f550c92f9134ff0"
strings:
$s1 = "USAGE: %s <input file> <output file> <port1> [port2] [port3] [port4] [port5] [port6]" fullword ascii
$s2 = "You may enter between 1 and 6 ports to change the defaults." fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task running a system maintenance script (e.g., schtasks.exe) that uses certutil to verify a certificate or update system files.
Filter/Exclusion: Check for ProcessName containing schtasks.exe or certutil used in a known maintenance script path (e.g., C:\Windows\System32\certutil.exe).
Scenario: Windows Update or Patching Process
Description: The system is running a Windows Update or patching process that uses certutil to validate update packages.
Filter/Exclusion: Filter by ProcessName containing wuauclt.exe or certutil used in the context of Windows Update (C:\Windows\System32\wuauclt.exe).
Scenario: Internal Certificate Authority (CA) Operations
Description: An internal CA server is using certutil to manage or renew certificates, which may trigger the rule due to similar command-line usage.
Filter/Exclusion: Check for ProcessName containing certsrv.exe or certutil executed from an internal CA server directory (e.g., C:\Windows\System32\certutil.exe).
Scenario: PowerShell Script Using certutil for Certificate Validation
Description: A legitimate PowerShell script is using certutil to validate a certificate during a security audit or compliance check.
Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for script paths in known internal security tools or audit directories.
Scenario: Antivirus or Endpoint Protection Tool Activity
Description: An endpoint protection tool (e.g., Microsoft Defender, CrowdStrike) is using certutil as part of its signature or certificate validation process.