Equation Group hack tool leaked by ShadowBrokers- file ewok

Hunt Hypothesis

The detection identifies potential exploitation of the Equation Group hack tool, specifically the ‘ewok’ file, which may indicate adversary use of leaked advanced persistent threat capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise from sophisticated, state-sponsored actors.

YARA Rule

rule EquationGroup_ewok {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file ewok"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "567da502d7709b7814ede9c7954ccc13d67fc573f3011db04cf212f8e8a95d72"
   strings:
      $x1 = "Example: ewok -t target public" fullword ascii
      $x2 = "Usage:  cleaner host community fake_prog" fullword ascii
      $x3 = "-g  - Subset of -m that Green Spirit hits " fullword ascii
      $x4 = "--- ewok version" fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 80KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate Use of ewok Tool for Network Enumeration
  Description: A security team member uses the ewok tool (part of the Equation Group toolkit) to perform network discovery or vulnerability assessment in a controlled environment.
  Filter/Exclusion: process.name: ewok AND user.name: security_team_user

• Scenario: Scheduled Job Running ewok for System Integrity Checks
  Description: A scheduled job, such as a system health check or compliance scan, runs the ewok tool to verify system integrity or detect anomalies.
  Filter/Exclusion: process.name: ewok AND event.type: scheduled_job

• Scenario: Admin Task Involving ewok for Debugging or Forensics
  Description: A system administrator uses ewok to debug a network issue or perform forensic analysis on a compromised system.
  Filter/Exclusion: process.name: ewok AND user.rights: admin

• Scenario: False Positive from Malware Analysis Lab Environment
  Description: The ewok tool is executed in a malware analysis sandbox or lab environment to study its behavior.
  Filter/Exclusion: process.name: ewok AND host.name: analysis_lab_*

• Scenario: Legitimate File Access by ewok During Patch Deployment
  Description: The ewok tool is used during a patch deployment to access or modify system files as part of an update process.
  Filter/Exclusion: process.name: ewok AND event.type: patch_deployment