Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of sophisticated, legacy malware associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term persistence and data exfiltration risks from sophisticated adversaries.

YARA Rule

rule EquationGroup_Toolset_Apr17_Smbtouch_1_1_1 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "108243f61c53f00f8f1adcf67c387a8833f1a2149f063dd9ef29205c90a3c30a"
   strings:
      $x1 = "[+] Target is vulnerable to %d exploit%s" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 400KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task using schtasks.exe or Task Scheduler is running a maintenance script that includes base64 encoded content or similar patterns.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or Task Scheduler, and filter out tasks with known maintenance scripts or those running under a non-admin account.

• Scenario: PowerShell Script with Base64 Encoding
  Description: A legitimate PowerShell script is using ConvertTo-Base64 or Out-File to encode data, which may resemble the encoding patterns seen in the EquationGroup tool.
  Filter/Exclusion: Filter out processes with ProcessName containing powershell.exe and check for script paths in known enterprise directories like C:\Windows\System32\WindowsPowerShell\v1.0\.

• Scenario: Admin Task for Log File Rotation
  Description: An admin task is rotating or compressing log files using tools like logrotate or gzip, which may include base64 encoded data in the process.
  Filter/Exclusion: Filter for ProcessName containing logrotate or gzip, and check for execution in log directories such as C:\Windows\System32\LogFiles.

• Scenario: Software Update Deployment via SCCM
  Description: A Software Center or SCCM (System Center Configuration Manager) update deployment is using base64 encoded payloads for package delivery, triggering the rule.
  Filter/Exclusion: Filter for ProcessName containing ccmexec.exe or Software Center, and check for execution in SCCM-related directories like C:\Windows\CCM.

• Scenario: Legitimate Data Encoding in Internal Tools
  Description: An internal tool or application (e.g., `openssl