Equation Group hack tool set

Hunt Hypothesis

The Equation Group hack tool set is associated with advanced persistent threats and may indicate the presence of sophisticated malware or espionage activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term compromise and mitigate advanced threats that may evade traditional detection methods.

YARA Rule

rule EquationGroup_watcher_linux_x86_64_v_3_3_0 {
   meta:
      description = "Equation Group hack tool set"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-09"
      hash1 = "a8d65593f6296d6d06230bcede53b9152842f1eee56a2a72b0a88c4f463a09c3"
   strings:
      $s1 = "forceprismheader" fullword ascii
      $s2 = "invalid option `" fullword ascii
      $s3 = "forceprism" fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 900KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup or disk defragmentation job, may trigger the rule due to similar command-line behavior.
  Filter/Exclusion: Exclude processes associated with schtasks.exe that match known maintenance job names (e.g., Defrag or DiskCleanup).

• Scenario: Admin Tool for Network Configuration
  Description: The netsh.exe tool is commonly used by administrators to configure network settings, which may resemble the behavior of the Equation Group toolset.
  Filter/Exclusion: Exclude processes where netsh.exe is used with known legitimate command-line arguments (e.g., netsh interface ip set address).

• Scenario: Software Deployment via Group Policy
  Description: A Group Policy Object (GPO) may trigger the rule when deploying software using gpupdate.exe or msiexec.exe, which can have similar execution patterns.
  Filter/Exclusion: Exclude processes initiated by gpupdate.exe or msiexec.exe with known deployment scripts or package names.

• Scenario: PowerShell Script for System Monitoring
  Description: A legitimate PowerShell script running system monitoring tasks (e.g., Get-EventLog, Get-Service) may trigger the rule due to similar process execution.
  Filter/Exclusion: Exclude processes with PowerShell scripts that match known monitoring or logging script names (e.g., SystemMonitor.ps1 or LogCollector.ps1).

• Scenario: Antivirus or Endpoint Protection Scan
  Description: Antivirus tools like msseces.exe (Microsoft Security Essentials) or mcafee.exe may trigger the rule during a full system scan due to similar process execution.
  Filter/Exclusion: Exclude processes