The detection identifies potential adversary use of the EQGRP Toolset Firewall executable, which may be used for network traffic manipulation or firewall evasion. SOC teams should proactively hunt for this behavior to identify and mitigate potential lateral movement or persistence tactics in their Azure Sentinel environment.
YARA Rule
rule EQGRP_BBALL_M50FW08_2201
{
meta:
description = "EQGRP Toolset Firewall - file BBALL_M50FW08-2201.exe"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
hash1 = "80c0b68adb12bf3c15eff9db70a57ab999aad015da99c4417fdfd28156d8d3f7"
strings:
$s1 = ".got_loader" fullword ascii
$s2 = "LOADED" fullword ascii
$s3 = "pageTable.c" fullword ascii
$s4 = "_start_text" fullword ascii
$s5 = "handler_readBIOS" fullword ascii
$s6 = "KEEPGOING" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 40KB and 5 of ($s*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Legitimate update or patch deployment via SCCM
Filter/Exclusion: process.parent_process_name == "Microsoft Configuration Manager" OR process.parent_process_name == "CCMSetup.exe"
Scenario: Scheduled maintenance task using the EQGRP Toolset Firewall utility
Filter/Exclusion: process.name == "schtasks.exe" AND process.command_line LIKE "%BBALL_M50FW08-2201.exe%"
Scenario: Administrative task to configure firewall rules using the EQGRP Toolset
Filter/Exclusion: process.parent_process_name == "mmc.exe" OR process.parent_process_name == "gpedit.msc"
Scenario: File integrity monitoring tool scanning the EQGRP Toolset files
Filter/Exclusion: process.name == "FileScanningTool.exe" OR process.name == "Tripwire.exe"
Scenario: User manually running the EQGRP Toolset for troubleshooting
Filter/Exclusion: process.user == "Domain\Administrator" AND process.command_line LIKE "%BBALL_M50FW08-2201.exe%"