The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary activity leveraging a known malware component associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated adversaries exploiting legacy or dormant threat infrastructure.
YARA Rule
rule EquationGroup_Toolset_Apr17_SetOurAddr {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "04ccc060d401ddba674371e66e0288ebdbfa7df74b925c5c202109f23fb78504"
strings:
$s1 = "USAGE: SetOurAddr <input file> <output file> <protocol> [IP/IPX address]" fullword ascii
$s2 = "Replaced default IP address (127.0.0.1) with Local IP Address %d.%d.%d.%d" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script or executable that matches the hash or behavior of the EquationGroup tool.
Filter/Exclusion: process.parent_process_name == "Task Scheduler" or process.command_line contains "schtasks.exe"
Scenario: Windows Update or Patching Process
Description: A Windows Update or patching process may execute binaries that resemble the EquationGroup tool due to similar execution patterns.
Filter/Exclusion: process.name contains "wusa.exe" or process.name contains "dism.exe"
Scenario: Admin Debugging or Forensic Tool Usage
Description: Tools like Procmon (Process Monitor) or Process Explorer may be used by administrators to debug or analyze processes, which could trigger the rule.
Filter/Exclusion: process.name contains "procmon.exe" or process.name contains "process.exe"
Scenario: Legitimate Software Deployment via SCCM
Description: A Software Center or Configuration Manager (SCCM) deployment may execute a package that matches the EquationGroup tool’s hash or behavior.
Filter/Exclusion: process.parent_process_name contains "ccmexec.exe" or process.command_line contains "ccmsetup.exe"
Scenario: PowerShell Script for System Configuration
Description: A PowerShell script used for system configuration or compliance checks may execute commands that mimic the EquationGroup tool’s behavior.
Filter/Exclusion: process.name contains "powershell.exe" and process.command_line contains "Invoke-Command" or process.command_line contains "Set-ItemProperty"