Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-lived, stealthy threats that may have evaded traditional detection mechanisms.

YARA Rule

rule EquationGroup_Toolset_Apr17_Windows_Implant {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "d38ce396926e45781daecd18670316defe3caf975a3062470a87c1d181a61374"
   strings:
      $s2 = "0#0)0/050;0M0Y0h0|0" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 50KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task using schtasks.exe or Task Scheduler is running a maintenance script that includes base64-encoded strings or similar patterns.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or Task Scheduler, and filter out tasks with known maintenance scripts.

• Scenario: PowerShell Script with Base64 Encoding
  Description: A legitimate PowerShell script is using ConvertTo-Base64 or similar cmdlets to encode data, which may trigger the rule due to base64 patterns.
  Filter/Exclusion: Filter out processes where ProcessName is powershell.exe and the command line includes ConvertTo-Base64 or Out-File.

• Scenario: Admin Tool with Embedded Strings
  Description: A legitimate admin tool like PsExec or PSTools contains embedded strings that resemble EquationGroup patterns.
  Filter/Exclusion: Exclude processes with ProcessName containing PsExec or PSTools, and check for known admin tool signatures.

• Scenario: Log File Parsing or Data Export Job
  Description: A scheduled job using logparser.exe or Export-Csv is exporting logs that include base64 or encoded data, triggering the rule.
  Filter/Exclusion: Filter out processes with ProcessName containing logparser.exe, Export-Csv, or Import-Csv, and check for known log parsing tools.

• Scenario: Antivirus or EDR Tool Scanning
  Description: A legitimate antivirus or EDR tool like Microsoft Defender or CrowdStrike is scanning files and generating base64 or encoded output during analysis.
  Filter/Exclusion: Exclude processes with ProcessName