Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary use of a sophisticated, previously disclosed malware variant, which may be part of a targeted attack. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats leveraging known but dormant malware.

YARA Rule

rule EquationGroup_Toolset_Apr17_yak {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "66ff332f84690642f4e05891a15bf0c9783be2a64edb2ef2d04c9205b47deb19"
   strings:
      $x1 = "-xd = dump archive data & store in scancodes.txt" fullword ascii
      $x2 = "-------- driver start token -------" fullword wide
      $x3 = "-------- keystart token -------" fullword wide
      $x4 = "-xta = same as -xt but show special chars & store in keys_all.txt" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 800KB and 2 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task running a maintenance script (e.g., schtasks.exe) that uses certutil to verify a certificate or update system trust store.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or certutil used in conjunction with known maintenance scripts.

• Scenario: Windows Update or Patching Process
  Description: The system is running a Windows Update or patching process that temporarily uses certutil to validate update packages.
  Filter/Exclusion: Filter by ProcessName containing wuauclt.exe or wusa.exe, or check for CommandLine containing wuauclt or wusa.

• Scenario: Admin Performing Certificate Management
  Description: An administrator is manually managing certificates using certutil to add or remove trusted root certificates.
  Filter/Exclusion: Filter by User field matching known admin accounts, or check for CommandLine containing /addstore or /delstore.

• Scenario: Third-Party Security Tool Integration
  Description: A third-party security tool (e.g., Microsoft Defender ATP, CrowdStrike) uses certutil internally for signature verification or integrity checks.
  Filter/Exclusion: Filter by ProcessName containing known security tool names or check for ParentProcess matching the security tool’s process name.

• Scenario: Legacy System Compatibility Check
  Description: A legacy system or compatibility tool uses certutil to validate digital signatures during a compatibility test or migration.
  Filter/Exclusion: Filter by ProcessName containing compatibilitytool.exe or legacytool.exe, or check for CommandLine indicating a compatibility test.