Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_wmi_Implant {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "de08d6c382faaae2b4b41b448b26d82d04a8f25375c712c12013cb0fac3bc704"
   strings:
      $x1 = "SELECT ProcessId,Description,ExecutablePath FROM Win32_Process" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 50KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
  Filter/Exclusion: Exclude processes associated with schtasks.exe where the command line includes known maintenance scripts (e.g., cleanmgr.exe, diskcleanup.exe).

• Scenario: Admin Performing Disk Cleanup
  Description: An administrator using diskcleanup.exe to remove temporary files or system cache.
  Filter/Exclusion: Exclude processes where the command line includes diskcleanup.exe and the user is a domain admin or has elevated privileges.

• Scenario: Antivirus Scan Using ClamAV
  Description: A legitimate antivirus scan initiated by ClamAV, which may trigger similar file or process detections.
  Filter/Exclusion: Exclude processes with clamscan.exe or clamav in the command line, especially when running in safe mode or during scheduled scans.

• Scenario: Log File Compression by Windows Task Scheduler
  Description: A scheduled task using compact.exe to compress log files, which may resemble the behavior of malicious tools.
  Filter/Exclusion: Exclude processes where compact.exe is used with parameters like /compact or /d to compress log directories.

• Scenario: Software Update Deployment via SCCM
  Description: A Software Center or SCCM (System Center Configuration Manager) update deployment that executes scripts or tools similar to the EquationGroup tool.
  Filter/Exclusion: Exclude processes initiated by ccmexec.exe or setup.exe associated with SCCM update deployments.