Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_SlDecoder {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "b220f51ca56d9f9d7d899fa240d3328535f48184d136013fd808d8835919f9ce"
   strings:
      $x1 = "Error in conversion. SlDecoder.exe <input filename> <output filename> at command line " fullword wide
      $x2 = "KeyLogger_Data" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
  Filter/Exclusion: Check for ProcessName = "schtasks.exe" and CommandLine containing known maintenance commands (e.g., cleanmgr, diskcleanup).

• Scenario: Windows Update Installer
  Description: The Windows Update installer (wusa.exe) may trigger the rule when installing updates, especially if the detection logic includes common strings found in update packages.
  Filter/Exclusion: Filter by ProcessName = "wusa.exe" and check for CommandLine containing update or install.

• Scenario: Microsoft System Center Configuration Manager (SCCM) Task
  Description: SCCM may execute scripts or tasks that include similar strings to the EquationGroup tool, especially during patch management or configuration updates.
  Filter/Exclusion: Use ProcessName = "ccmexec.exe" or ProcessName = "smsutil.exe" and check for known SCCM command-line arguments.

• Scenario: PowerShell Script for Log Analysis
  Description: A legitimate PowerShell script used for log analysis or system monitoring might include strings that match the EquationGroup tool’s signature.
  Filter/Exclusion: Filter by ProcessName = "powershell.exe" and check for CommandLine containing log, analyze, or monitor.

• Scenario: Antivirus or EDR Tool Scanning
  Description: Security tools like Microsoft Defender or CrowdStrike may use similar strings during malware scanning or heuristic analysis, leading to false positives.
  Filter/Exclusion: Check for ProcessName containing mpcmdrun.exe, msmpeng.exe, or crowdstrike and filter based on known security tool command-line