Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary activity leveraging stolen malware components to execute persistent, stealthy attacks within the network. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that may have already established a foothold in the environment.

YARA Rule

rule EquationGroup_Toolset_Apr17_Shares_Target {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "6c57fb33c5e7d2dee415ae6168c9c3e0decca41ffe023ff13056ff37609235cb"
   strings:
      $s1 = "Select * from Win32_Share" fullword ascii
      $s2 = "slocalhost" fullword wide
      $s3 = "\\\\%ls\\root\\cimv2" fullword wide
      $s4 = "\\\\%ls\\%ls" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task running a script or tool like PowerShell.exe or task scheduler that performs routine system maintenance.
  Filter/Exclusion: Check for ProcessName containing PowerShell or taskhost.exe and filter out tasks with known maintenance scripts or paths like C:\Windows\System32\tasks\.

• Scenario: Software Update Deployment
  Description: A tool like Windows Update or Chocolatey running an update or installation process that mimics the behavior of the EquationGroup tool.
  Filter/Exclusion: Filter out processes with ProcessName like wuauclt.exe or choco.exe, or check for CommandLine containing update or install.

• Scenario: Admin Debugging Session
  Description: A system administrator using Process Explorer or Procmon to debug or analyze processes, which may trigger similar behavior to the EquationGroup tool.
  Filter/Exclusion: Exclude processes with ProcessName like procexp.exe or procmon.exe, or filter based on user context (e.g., User field is Administrator).

• Scenario: Legitimate Malware Analysis Environment
  Description: A sandbox or analysis environment running the EquationGroup tool for forensic analysis, which may trigger the rule.
  Filter/Exclusion: Check for Machine or Hostname containing keywords like sandbox, analysis, or vm, or filter based on SourceIP from known analysis labs.

• Scenario: Network Monitoring Tool Execution
  Description: A network monitoring tool like Wireshark or tcpdump running in the background and generating similar network activity to the EquationGroup tool.
  Filter/Exclusion: Exclude processes with `ProcessName