Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-standing threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_SetResourceName {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "537793d5158aecd0debae25416450bd885725adfc8ca53b0577a3df4b0222e2e"
   strings:
      $x1 = "Updates the name of the dll or executable in the resource file" fullword ascii
      $x2 = "*NOTE: SetResourceName does not work with PeddleCheap versions" fullword ascii
      $x3 = "2 = [appinit.dll] level4 dll" fullword ascii
      $x4 = "1 = [spcss32.exe] level3 exe" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: System Maintenance Task Using msiexec.exe
  Description: A legitimate system maintenance task or Windows Update process uses msiexec.exe to install updates or patches.
  Filter/Exclusion: Check the command line arguments for msiexec.exe and exclude instances where the argument contains /i or /update with known Microsoft update packages.

• Scenario: Scheduled Job Running taskeng.exe
  Description: A scheduled task managed by taskeng.exe (Task Scheduler engine) is executing a legitimate script or batch file.
  Filter/Exclusion: Exclude processes where the parent process is schtasks.exe or where the command line includes known valid task scripts.

• Scenario: Antivirus or Endpoint Protection Scan Using msiexec.exe
  Description: An endpoint protection tool (e.g., Microsoft Defender, Bitdefender, etc.) uses msiexec.exe to install or update its own components.
  Filter/Exclusion: Exclude processes where the file path includes known antivirus directories (e.g., C:\Program Files\Microsoft Defender\) or where the command line includes msiexec with update-related parameters.

• Scenario: Admin Performing Software Deployment via msiexec.exe
  Description: An administrator is deploying software using msiexec.exe with a valid MSI package.
  Filter/Exclusion: Exclude processes where the command line includes /qn or /qb and the MSI file is located in a known enterprise software deployment directory (e.g., C:\SoftwareDeployment\).

• Scenario: Logon Script Execution Using cmd.exe or powershell.exe
  Description: A logon script runs via cmd.exe or powershell.exe to configure user settings or perform administrative tasks.
  *Filter/