Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-standing threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_yak_min_install {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "f67214083d60f90ffd16b89a0ce921c98185b2032874174691b720514b1fe99e"
   strings:
      $s1 = "driver start" fullword ascii
      $s2 = "DeviceIoControl Error: %d" fullword ascii
      $s3 = "Phlook" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 300KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Legitimate system update or patching activity using msiexec.exe
  Filter/Exclusion: Check for msiexec.exe with arguments containing /i or /patch and ensure the file path is within a known enterprise update directory (e.g., C:\Windows\Temp\ or C:\Program Files\Microsoft\Windows\Update\).

• Scenario: Scheduled backup job using vssadmin.exe to create volume shadow copies
  Filter/Exclusion: Filter out vssadmin.exe processes with the CreateShadowCopy action and ensure the operation is initiated by a known backup service account or scheduled task.

• Scenario: Administrative task using reg.exe to modify registry settings during a routine configuration change
  Filter/Exclusion: Exclude reg.exe processes that modify registry keys under HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run if the change is part of a documented configuration update.

• Scenario: Legitimate use of certutil.exe to import or export certificates during certificate management
  Filter/Exclusion: Exclude certutil.exe processes that operate on certificate stores (-addstore or -export commands) and are initiated by a trusted certificate management tool or service account.

• Scenario: PowerShell script execution using powershell.exe for routine system monitoring or log analysis
  Filter/Exclusion: Exclude powershell.exe processes that run scripts from known enterprise monitoring tools (e.g., C:\Program Files\Microsoft Monitoring Agent\) or are initiated by a trusted user or service account.