The hypothesis is that the detection of files BARPUNCH-3110 and BPICKER-3100 in the environment may indicate the presence of the EQGRP toolset, which is associated with potential network reconnaissance or firewall manipulation activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary activity that could lead to network compromise.
YARA Rule
rule EQGRP_BARPUNCH_BPICKER
{
meta:
description = "EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
super_rule = 1
hash1 = "830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc"
hash2 = "d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f"
strings:
$x1 = "--cmd %x --idkey %s --sport %i --dport %i --lp %s --implant %s --bsize %hu --logdir %s --lptimeout %u" fullword ascii
$x2 = "%s -c <cmdtype> -l <lp> -i <implant> -k <ikey> -s <port> -d <port> [operation] [options]" fullword ascii
$x3 = "* [%lu] 0x%x is marked as stateless (the module will be persisted without its configuration)" fullword ascii
$x4 = "%s version %s already has persistence installed. If you want to uninstall," fullword ascii
$x5 = "The active module(s) on the target are not meant to be persisted" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 6000KB and 1 of them ) or ( 3 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: A system administrator is using BPICKER-3100 to perform a scheduled maintenance task on the firewall configuration.
Filter/Exclusion: process.name != "BPICKER-3100" OR process.parent.name == "task scheduler" OR process.args contains "maintenance"
Scenario: A developer is using BARPUNCH-3110 to debug or test a firewall rule in a development environment.
Filter/Exclusion: process.name != "BARPUNCH-3110" OR process.directory contains "dev_env" OR process.args contains "test"
Scenario: A backup job is running and temporarily accesses BARPUNCH-3110 or BPICKER-3100 files during a system restore.
Filter/Exclusion: process.name contains "backup" OR process.directory contains "backup_restore" OR process.args contains "restore"
Scenario: A third-party tool or script is using BPICKER-3100 to query firewall rules as part of an integration with a SIEM system.
Filter/Exclusion: process.name contains "siem" OR process.args contains "query" OR process.parent.name contains "siem_agent"
Scenario: A user is manually reviewing firewall logs using BARPUNCH-3110 for troubleshooting purposes.
Filter/Exclusion: process.name != "BARPUNCH-3110" OR process.args contains "log_review" OR process.user contains "admin"