Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary activity leveraging a known malware tool associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by sophisticated adversaries.

YARA Rule

rule EquationGroup_Toolset_Apr17_svctouch {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "96b6a3c4f53f9e7047aa99fd949154745e05dc2fd2eb21ef6f0f9b95234d516b"
   strings:
      $s1 = "Causes: Firewall,Machine down,DCOM disabled\\not supported,etc." fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 10KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task running a system maintenance script (e.g., schtasks.exe) that uses similar command-line arguments or file names as the EquationGroup tool.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or Task Scheduler in the event log, or filter by CommandLine containing /create or /run.

• Scenario: PowerShell Script Execution for Patching
  Description: A PowerShell script (e.g., PowerShell.exe) used by the IT department to apply system patches or updates, which may include similar command patterns to the EquationGroup tool.
  Filter/Exclusion: Filter by ProcessName containing PowerShell.exe and check for known patching scripts or paths like C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.

• Scenario: Admin Tool for Log Management
  Description: A legitimate admin tool (e.g., LogParser.exe from Microsoft) used to analyze or manage system logs, which may have similar command-line structures to the EquationGroup tool.
  Filter/Exclusion: Filter by ProcessName containing LogParser.exe or check for known log management tools in the process tree.

• Scenario: Antivirus or EDR Scan
  Description: A security tool (e.g., Microsoft Defender Antivirus, CrowdStrike Falcon) performing a scan or update, which may trigger similar network or file activity as the EquationGroup tool.
  Filter/Exclusion: Check for ProcessName containing MsMpEng.exe, Falcon.exe, or other known security tool names, or filter by ParentProcessName matching a known security service.

• Scenario: Database Backup Job
  Description: A database backup job (e