The detection identifies potential adversary use of the leaked Equation Group tool ys.auto, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by sophisticated adversaries leveraging leaked malware.
YARA Rule
rule EquationGroup_ys {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file ys.auto"
author = "Florian Roth"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "a6387307d64778f8d9cfc60382fdcf0627cde886e952b8d73cc61755ed9fde15"
strings:
$x1 = "EXPLOIT_SCRIPME=\"$EXPLOIT_SCRIPME\"" fullword ascii
$x3 = "DEFTARGET=`head /current/etc/opscript.txt 2>/dev/null | grepip 2>/dev/null | head -1`" fullword ascii
$x4 = "FATAL ERROR: -x port and -n port MUST NOT BE THE SAME." fullword ascii
condition:
filesize < 250KB and 1 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate scheduled job using ys.auto
Description: A system administrator schedules a maintenance task using a script named ys.auto to perform routine system checks or updates.
Filter/Exclusion: Exclude processes where the file path contains C:\Windows\System32\ys.auto or where the process is initiated by a known administrative task scheduler job.
Scenario: Microsoft Windows Update process
Description: The ys.auto file is used as part of a custom Windows Update script or tool that is deployed across the enterprise to manage patching and updates.
Filter/Exclusion: Exclude processes where the parent process is svchost.exe or where the file path includes C:\Windows\Temp\ys.auto.
Scenario: Custom log analysis tool
Description: An internal log analysis tool named ys.auto is used to parse and analyze system logs, and it is regularly executed by the security team.
Filter/Exclusion: Exclude processes where the file path contains C:\Program Files\LogAnalysis\ys.auto or where the user is a member of the “Log Analysis” security group.
Scenario: Backup script execution
Description: A backup script named ys.auto is used to automate data backups and is run on a regular basis by the backup team.
Filter/Exclusion: Exclude processes where the file path is C:\BackupScripts\ys.auto or where the execution is scheduled via a known backup management tool.
Scenario: Third-party tool with similar naming
Description: A third-party security or management tool uses a file named ys.auto for internal operations, such as configuration management or agent communication.
Filter/Exclusion: Exclude processes where the file path contains C:\Program Files\ThirdPartyTool\ys.auto or where the process