The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversarial activity leveraging a known malware tool associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated attackers using legacy malware.
YARA Rule
rule EquationGroup_Toolset_Apr17__vtuner_vtuner_1 {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
super_rule = 1
hash1 = "3e6bec0679c1d8800b181f3228669704adb2e9cbf24679f4a1958e4cdd0e1431"
hash2 = "b0d2ebf455092f9d1f8e2997237b292856e9abbccfbbebe5d06b382257942e0e"
strings:
$s1 = "Unable to get -w hash. %x" fullword wide
$s2 = "!\"invalid instruction mnemonic constant Id3vil\"" fullword wide
$s4 = "Unable to set -w provider. %x" fullword wide
$op0 = { 2b c7 50 e8 3a 8c ff ff ff b6 c0 }
$op2 = { a1 8c 62 47 00 81 65 e0 ff ff ff 7f 03 d8 8b c1 }
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and 2 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task running a system maintenance script (e.g., schtasks.exe) that uses similar command-line arguments or file names as the EquationGroup tool.
Filter/Exclusion: Check for ProcessName containing schtasks.exe or Task Scheduler in the process tree.
Scenario: PowerShell Script Execution for Patching
Description: A PowerShell script (e.g., powershell.exe -Command) used by the enterprise’s patch management system to apply updates, which may include similar command structures to the EquationGroup tool.
Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for known patching scripts or paths like C:\Windows\System32\WindowsPowerShell\v1.0\.
Scenario: Admin Task for Log File Analysis
Description: A legitimate administrative task using tools like logparser.exe or eventvwr.exe to analyze log files, which may trigger the same detection logic due to similar command-line patterns.
Filter/Exclusion: Filter by ProcessName containing logparser.exe or eventvwr.exe.
Scenario: Database Backup Job Using SQLCMD
Description: A scheduled SQL Server backup job using sqlcmd.exe to execute T-SQL scripts, which may have command-line arguments resembling those of the EquationGroup tool.
Filter/Exclusion: Filter by ProcessName containing sqlcmd.exe and check for known SQL Server backup paths or job names.
Scenario: Antivirus or EDR Tool Scanning
Description: A legitimate endpoint protection tool (e.g., mpcmdrun.exe from Microsoft Defender) performing a full system scan, which may trigger the same detection logic due to similar process behavior.