Equation Group hack tool leaked by ShadowBrokers- file xspy

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of the Equation Group hack tool, xspy, which may indicate compromise or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging leaked malware.

YARA Rule

rule EquationGroup_xspy {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file xspy"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "841e065c9c340a1e522b281a39753af8b6a3db5d9e7d8f3d69e02fdbd662f4cf"
   strings:
      $s1 = "USAGE: xspy -display <display> -delay <usecs> -up" fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 60KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled backup job using xspy.exe
  Description: A scheduled task runs a legitimate backup tool named xspy.exe as part of a standard backup process.
  Filter/Exclusion: Check for CommandLine containing backup or restore, or filter by ProcessName matching known backup tools.

• Scenario: Admin using xspy.exe for network discovery
  Description: A system administrator uses a tool named xspy.exe (which is a legitimate network discovery tool) to gather internal network information.
  Filter/Exclusion: Filter by User field to include only admin accounts, or check for ProcessDescription containing “network discovery”.

• Scenario: Malicious file with same name as legitimate tool
  Description: An attacker uploads a malicious file named xspy.exe that mimics a legitimate tool used by the organization.
  Filter/Exclusion: Use file integrity monitoring (FIM) checks or hash comparisons against known good hashes of xspy.exe.

• Scenario: Legitimate system diagnostic tool named xspy.exe
  Description: A system diagnostic or monitoring tool named xspy.exe is used by IT to monitor system performance.
  Filter/Exclusion: Filter by ProcessName or FileVersion to match known diagnostic tools, or check for ParentProcess being a trusted system process.

• Scenario: Scheduled job for log analysis using xspy.exe
  Description: A scheduled job runs xspy.exe to analyze system logs as part of a security monitoring process.
  Filter/Exclusion: Check for CommandLine containing log analysis or log parsing, or filter by ProcessDescription indicating log analysis.