The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of advanced persistent threat techniques to exfiltrate data or establish persistence within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by sophisticated adversaries leveraging known malware artifacts.
YARA Rule
rule EquationGroup_Toolset_Apr17_st_lp {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "3b6f756cca096548dcad2b6c241c1dafd16806c060bec82a530f4d38755286a2"
strings:
$x1 = "Previous command: set injection processes (status=0x%x)" fullword ascii
$x2 = "Secondary injection process is <null> [no secondary process will be used]" fullword ascii
$x3 = "Enter the address to be used as the spoofed IP source address (xxx.xxx.xxx.xxx) -> " fullword ascii
$x4 = "E: Execute a Command on the Implant" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate System Update via Windows Update
Description: A system update from Microsoft’s Windows Update service may trigger the rule due to similar file names or hashes.
Filter/Exclusion: Check the process.name field for wuauclt.exe or WindowsUpdate.exe and exclude processes associated with Windows Update.
Scenario: Scheduled Job Running Microsoft Baseline Security Analyzer (MSBAS)
Description: The MSBAS tool is used for security assessments and may generate similar network activity to the EquationGroup tool.
Filter/Exclusion: Filter by process.name containing mbsa.exe or msbas.exe and exclude any activity related to known security scanning tasks.
Scenario: Admin Task - PowerShell Script for Patch Management
Description: An administrator may run a PowerShell script to automate patch management, which could trigger the rule due to similar command-line behavior.
Filter/Exclusion: Use process.name to filter for powershell.exe and check for known admin scripts or command-line arguments like -File with a known patch management script path.
Scenario: Legitimate Use of Microsoft Network Monitor (NPM)
Description: Network monitoring tools like Microsoft Network Monitor (NPM) may capture traffic that resembles malicious activity.
Filter/Exclusion: Filter by process.name containing nmm.exe or nmp.exe and exclude any traffic associated with known network monitoring tasks.
Scenario: Scheduled Task for Log Collection via Microsoft Log Parser
Description: A scheduled task using Microsoft Log Parser to collect and analyze logs may trigger the rule due to similar process behavior.
Filter/Exclusion: Check for process.name containing logparser.exe and exclude any tasks associated with log collection or analysis tools.