Equation Group hack tool leaked by ShadowBrokers- file wrap-telnet.sh

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of the leaked Equation Group tool wrap-telnet.sh to establish covert command and control channels via telnet, leveraging outdated and insecure protocols. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term persistence and data exfiltration activities from advanced persistent threats.

YARA Rule

rule EquationGroup_wrap_telnet {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file wrap-telnet.sh"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "4962b307a42ba18e987d82aa61eba15491898978d0e2f0e4beb02371bf0fd5b4"
   strings:
      $s1 = "echo \"example: ${0} -l 192.168.1.1 -p 22222 -s 22223 -x 9999\"" fullword ascii
      $s2 = "-x [ port to start mini X server on DEFAULT = 12121 ]\"" fullword ascii
      $s3 = "echo \"Call back port2 = ${SPORT}\"" fullword ascii
   condition:
      ( uint16(0) == 0x2123 and filesize < 4KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate System Update or Patching Job
  Description: A scheduled job runs a script named wrap-telnet.sh as part of a system update or patching process.
  Filter/Exclusion: Exclude files with a known update or patching job name, e.g., update_telnet.sh or check for presence of patch or update in the script name.

• Scenario: Admin Task to Secure Telnet Access
  Description: An administrator uses wrap-telnet.sh to secure or configure Telnet access on a server, as part of a network security hardening task.
  Filter/Exclusion: Exclude scripts executed by admin accounts with elevated privileges (e.g., root, admin) and check for presence of security-related keywords like secure, restrict, or configure.

• Scenario: Development or Testing Environment Use
  Description: A developer or tester runs wrap-telnet.sh in a sandboxed or test environment to simulate Telnet behavior for application testing.
  Filter/Exclusion: Exclude files executed in environments with specific tags like dev, test, or sandbox, or check for presence of test or simulate in the script name.

• Scenario: Legacy System Maintenance
  Description: An older system uses wrap-telnet.sh to maintain Telnet-based services, as part of legacy infrastructure support.
  Filter/Exclusion: Exclude files executed on systems with a specific OS version or service tag indicating legacy use (e.g., legacy_telnet, old_system).

• Scenario: Automated Backup or Configuration Script
  Description: A backup or configuration management script named wrap-telnet.sh is used to automate Telnet-related configurations across multiple servers.
  Filter/Exclusion: Exclude scripts that are part