The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-lived, stealthy threats that may have evaded traditional detection mechanisms.
YARA Rule
rule EquationGroup_Toolset_Apr17_SetPorts {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "722d3cf03908629bc947c4cca7ce3d6b80590a04616f9df8f05c02de2d482fb2"
strings:
$s1 = "USAGE: SetPorts <input file> <output file> <version> <port1> [port2] [port3] [port4] [port5]" fullword ascii
$s2 = "Valid versions are: 1 = PC 1.2 2 = PC 1.2 (24 hour)" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Scheduled system maintenance or patching using PowerShell scripts
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%-Command%'
Scenario: Legitimate use of Windows Task Scheduler to run administrative tasks
Filter/Exclusion: process.name != "schtasks.exe" OR process.args NOT LIKE '%/RU%'
Scenario: Use of Windows Management Instrumentation (WMI) for system monitoring
Filter/Exclusion: process.name != "wmic.exe" OR process.args NOT LIKE '%query%'
Scenario: Execution of Microsoft Sysinternals tools like Process Explorer or ProcMon
Filter/Exclusion: process.name NOT IN ("procexp.exe", "procmon.exe", "handle.exe")
Scenario: Running Windows Update or Group Policy refresh tasks
Filter/Exclusion: process.name != "wuauclt.exe" AND process.name != "gpolisten.exe"