EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential adversary use of the EQGRP toolset to establish covert network communication through suspicious file execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage persistent threats leveraging custom tooling.

YARA Rule

rule EQGRP_BananaUsurper_writeJetPlow
{

    meta:
        description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        super_rule = 1
        hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119"
        hash2 = "464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c"
 
    strings:
        $x1 = "Implant Version-Specific Values:" fullword ascii
        $x2 = "This function should not be used with a Netscreen, something has gone horribly wrong" fullword ascii
        $s1 = "createSendRecv: recv'd an error from the target." fullword ascii
        $s2 = "Error: WatchDogTimeout read returned %d instead of 4" fullword ascii

    condition:
        ( uint16(0) == 0x457f and filesize < 2000KB and 1 of ($x*) ) or ( 3 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job using BananaUsurper-2120 for log file rotation
  Filter/Exclusion: process.parent_process_name == "logrotate" or process.command_line contains "logrotate"

• Scenario: System administrator using writeJetPlow-2130 to generate a test firewall rule for internal testing
  Filter/Exclusion: process.user == "root" and process.command_line contains "test_rule"

• Scenario: Automated backup tool using BananaUsurper-2120 to write temporary firewall configuration files
  Filter/Exclusion: process.command_line contains "backup_script.sh" or process.parent_process_name == "backupd"

• Scenario: Security team using writeJetPlow-2130 to apply a new firewall policy during a security audit
  Filter/Exclusion: process.user == "security_admin" and process.command_line contains "apply_policy"

• Scenario: Development team using BananaUsurper-2120 to simulate network traffic for testing purposes
  Filter/Exclusion: process.command_line contains "simulate_traffic" or process.parent_process_name == "test_runner"