Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-lived, sophisticated threats that may have evaded traditional detection mechanisms.

YARA Rule

rule EquationGroup_Toolset_Apr17_tacothief {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "c71953cc84c27dc61df8f6f452c870a7880a204e9e21d9fd006a5c023b052b35"
   strings:
      $x1 = "File too large!  Must be less than 655360 bytes." fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 100KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system caches.
  Filter/Exclusion: Exclude processes where image contains schtasks.exe and parent_image is services.exe or taskhost.exe.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A security tool like Microsoft Defender or Malwarebytes performing a full system scan, which may trigger similar behavior to the EquationGroup tool.
  Filter/Exclusion: Exclude processes where image contains MsMpEng.exe, mbam.exe, or microsoft defender and process_name is known antivirus tool.

• Scenario: PowerShell Script for Log Cleanup
  Description: A legitimate PowerShell script run by an admin to clean up old log files or system artifacts, which may involve similar command-line activity.
  Filter/Exclusion: Exclude processes where process_name is powershell.exe and parent_image is explorer.exe or cmd.exe, and command_line contains clean, log, or remove.

• Scenario: Windows Update or Patching Job
  Description: A Windows Update or patching job initiated by wuauclt.exe or setup.exe, which may involve file modifications or registry changes.
  Filter/Exclusion: Exclude processes where image contains wuauclt.exe or setup.exe and parent_image is services.exe or taskhost.exe.

• Scenario: Database Backup or Restore Job
  Description: A database backup or restore operation using tools like sqlbackup.exe or mysqldump.exe, which may involve file system activity similar to malicious behavior.