Equation Group hack tool set

Hunt Hypothesis

The Equation Group hack tool set is likely used by advanced adversaries to establish persistent access and exfiltrate data within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term compromise and mitigate data loss risks.

YARA Rule

rule EquationGroup_x86_linux_exactchange {
   meta:
      description = "Equation Group hack tool set"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-09"
      super_rule = 1
      hash1 = "dfecaf5b85309de637b84a686dd5d2fca9c429e8285b7147ae4213c1f49d39e6"
      hash2 = "6ef6b7ec1f1271503957cf10bb6b1bfcedb872d2de3649f225cf1d22da658bec"
   strings:
      $x1 = "kernel has 4G/4G split, not exploitable" fullword ascii
      $x2 = "[+] kernel stack size is %d" fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 1000KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate System Maintenance Task
  Description: A system administrator is running a scheduled maintenance job that uses the Equation Group tool (e.g., eqgrp.exe) to clean up temporary files or perform disk defragmentation.
  Filter/Exclusion: Check for process.parent_process containing “Task Scheduler” or “schtasks.exe”, and filter by process.command_line containing “clean” or “defrag”.

• Scenario: Security Tool or Antivirus Scan
  Description: A third-party security tool or antivirus software (e.g., Bitdefender, Kaspersky) includes a module named after the Equation Group tool for internal analysis or signature generation.
  Filter/Exclusion: Filter by process.image containing known security tool names or check for process.parent_process related to antivirus services (e.g., mbam.exe, avgnt.exe).

• Scenario: Internal Red Team Exercise
  Description: A red team member is using a tool named after the Equation Group (e.g., eqgrp.exe) during a controlled penetration test to simulate attack vectors.
  Filter/Exclusion: Check for process.user matching the red team user or filter by process.command_line containing “simulate” or “test”.

• Scenario: Legitimate Software Update or Patch Deployment
  Description: A legitimate software update or patch deployment process (e.g., Microsoft Update, SCCM) includes a script or tool named after the Equation Group for internal use.
  Filter/Exclusion: Filter by process.parent_process containing “Windows Update” or “ccmexec.exe”, and check for process.command_line containing “update” or “patch”.

• Scenario: Scheduled Job for Log Analysis or Compliance
  Description: A scheduled job runs a script or tool named after the Equation Group to