Equation Group hack tool leaked by ShadowBrokers- file ys.ratload.sh

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of the Equation Group hack tool, specifically the ys.ratload.sh script, which may indicate compromised systems or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging leaked exploit tools.

YARA Rule

rule EquationGroup_ys_ratload {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file ys.ratload.sh"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "a340e5b5cfd41076bd4d6ad89d7157eeac264db97a9dddaae15d935937f10d75"
   strings:
      $x1 = "echo \"example: ${0} -l 192.168.1.1 -p 22222 -x 9999\"" fullword ascii
      $x2 = "-x [ port to start mini X server on DEFAULT = 12121 ]\"" fullword ascii
      $x3 = "CALLBACK_PORT=32177" fullword ascii
   condition:
      ( uint16(0) == 0x2123 and filesize < 3KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate Use of ys.ratload.sh as Part of a Scheduled Job for System Maintenance
  Description: A system administrator schedules ys.ratload.sh as part of a routine maintenance script to load a legitimate monitoring tool.
  Filter/Exclusion: Check for presence of known legitimate tools (e.g., nagios, zabbix, telegraf) in the script or parent process chain. Exclude processes with cron or systemd as parent.

• Scenario: Use of ys.ratload.sh by a Third-Party Software Installer
  Description: A third-party application (e.g., a network monitoring tool) includes ys.ratload.sh as part of its installation or update process.
  Filter/Exclusion: Exclude processes where the script is located in a known vendor directory (e.g., /opt/monitoring_tools/, /usr/local/bin/) or where the parent process is a known installer (e.g., dpkg, apt, rpm).

• Scenario: Admin Task to Load a Custom Script for Data Collection
  Description: A system admin uses ys.ratload.sh to load a custom script for data collection or log aggregation.
  Filter/Exclusion: Exclude processes where the script is owned by a trusted admin user (e.g., root, sysadmin) and is located in a known admin directory (e.g., /root/scripts/, /home/sysadmin/).

• Scenario: Use of ys.ratload.sh in a CI/CD Pipeline for Deployment
  Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) uses ys.ratload.sh to deploy a legitimate application or configuration.
  Filter/Exclusion: Exclude processes where the script is executed in a