Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of the EquationGroup tool, specifically the April Leak variant, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by sophisticated adversaries leveraging known malware.

YARA Rule

rule EquationGroup_Toolset_Apr17_xxxRIDEAREA {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "214b0de83b04afdd6ad05567825b69663121eda9e804daff9f2da5554ade77c6"
   strings:
      $x1 = "USAGE: %s -i InputFile -o OutputFile [-f FunctionOrdinal] [-a FunctionArgument] [-t ThreadOption]" fullword ascii
      $x2 = "The output payload \"%s\" has a size of %d-bytes." fullword ascii
      $x3 = "ERROR: fwrite(%s) failed on ucPayload" fullword ascii
      $x4 = "Load and execute implant within the existing thread" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
  Filter/Exclusion: Exclude processes where the command line includes cleanmgr.exe, diskcleanup.exe, or schtasks /run with known maintenance scripts.

• Scenario: Windows Update or Patching Process
  Description: The system is running a Windows Update or patching process, which may involve the EquationGroup tool’s signature due to similar file names or behaviors.
  Filter/Exclusion: Exclude processes where the parent process is svchost.exe or wuauclt.exe, and the command line includes wuau or update.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate antivirus or endpoint protection tool, such as Bitdefender or Kaspersky, may trigger the detection due to similar file hashes or behaviors.
  Filter/Exclusion: Exclude processes where the executable name contains av, antivirus, or kaspersky, and the command line includes scan or update.

• Scenario: PowerShell Script for System Configuration
  Description: A PowerShell script used by administrators to configure system settings, such as PowerShell.exe running a script that modifies registry keys or services.
  Filter/Exclusion: Exclude processes where the command line includes PowerShell.exe and the script path is known to be from a trusted admin tool or internal script repository.

• Scenario: Log Collection or Monitoring Tool
  Description: A log collection or monitoring tool, such as Splunk or ELK Stack, may trigger the detection due to similar behavior or file names.
  Filter/Exclusion: Exclude processes where the executable name contains splunk, logstash, or