Equation Group hack tool leaked by ShadowBrokers- file evolvingstrategy.1.0.1.1

Hunt Hypothesis

Adversaries may be using the leaked Equation Group tool ‘evolvingstrategy.1.0.1.1’ to execute sophisticated, long-term persistence within compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats and mitigate lateral movement risks.

YARA Rule

rule EquationGroup_evolvingstrategy_1_0_1 {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file evolvingstrategy.1.0.1.1"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "fe70e16715992cc86bbef3e71240f55c7d73815b4247d7e866c845b970233c1b"
   strings:
      $s1 = "chown root sh; chmod 4777 sh;" fullword ascii
      $s2 = "cp /bin/sh .;chown root sh;" fullword ascii

      $l1 = "echo clean up when elevated:" fullword ascii

      $x1 = "EXE=$DIR/sbin/ey_vrupdate" fullword ascii
   condition:
      ( filesize < 4KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate Use of evolvingstrategy.1.0.1.1 as a Custom Script
  Description: A system administrator or developer may have created a custom script named evolvingstrategy.1.0.1.1 for internal automation or configuration management.
  Filter/Exclusion: Check the file’s creation time and source. Use a filter like:

  (file_name = evolvingstrategy.1.0.1.1) AND (file_creation_time > [last_month]) AND (process_owner = "admin_user")

• Scenario: Scheduled Job Using evolvingstrategy.1.0.1.1 for System Maintenance
  Description: A scheduled task or job may use the file evolvingstrategy.1.0.1.1 as part of a legitimate system maintenance or backup process.
  Filter/Exclusion: Filter by process name and user context:

  (process_name = "schtasks.exe") AND (file_name = evolvingstrategy.1.0.1.1) AND (user = "system_account")

• Scenario: Antivirus or Endpoint Protection Tool Using the File Name
  Description: Some security tools or endpoint protection software may use the file name evolvingstrategy.1.0.1.1 for internal purposes, such as storing configuration or logs.
  Filter/Exclusion: Check the process name and file path:

  (process_name = "mpsvc.exe") AND (file_path = "C:\Program Files\EndpointProtection\evolvingstrategy.1.0.1.1")

• Scenario: File Compression or Archive Tool Using the File Name
  Description: A file compression or archive tool (e.g., 7-Zip, Win