EQGRP Toolset Firewall - file BICECREAM-2140

Hunt Hypothesis

The hypothesis is that the detection of BICECREAM-2140 may indicate the presence of the EQGRP toolset, which is associated with advanced persistent threat (APT) activities, and its use could signal initial compromise or lateral movement within a network. SOC teams should proactively hunt for this artifact in Azure Sentinel to identify potential adversarial activity early and prevent further exploitation.

YARA Rule

rule EQGRP_BICECREAM 
{

    meta:
        description = "EQGRP Toolset Firewall - file BICECREAM-2140"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "4842076af9ba49e6dfae21cf39847b4172c06a0bd3d2f1ca6f30622e14b77210"

    strings:
        $s1 = "Could not connect to target device: %s:%d. Please check IP address." fullword ascii
        $s2 = "command data size is invalid for an exec cmd" fullword ascii
        $s3 = "A script was specified but target is not a PPC405-based NetScreen (NS5XT, NS25, and NS50). Executing scripts is supported but ma" ascii
        $s4 = "Execute 0x%08x with args (%08x, %08x, %08x, %08x): [y/n]" fullword ascii
        $s5 = "Execute 0x%08x with args (%08x, %08x, %08x): [y/n]" fullword ascii
        $s6 = "[%d] Execute code." fullword ascii
        $s7 = "Execute 0x%08x with args (%08x): [y/n]" fullword ascii
        $s8 = "dump_value_LHASH_DOALL_ARG" fullword ascii
        $s9 = "Eggcode is complete. Pass execution to it? [y/n]" fullword ascii
    
    condition:
        ( uint16(0) == 0x457f and filesize < 5000KB and 2 of them ) or ( 5 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using the BICECREAM-2140 tool as part of a scheduled maintenance job to update firewall configurations.
  Filter/Exclusion: process.parent_process_name:"Windows Task Scheduler" or process.name:"schtasks.exe"

• Scenario: The BICECREAM-2140 file is being executed by Microsoft Endpoint Configuration Manager (MECM) during a software deployment.
  Filter/Exclusion: process.parent_process_name:"ConfigMgrClient.exe" or process.name:"ConfigMgrClient.exe"

• Scenario: A security analyst is running BICECREAM-2140 as part of a legitimate security audit or penetration test using Metasploit.
  Filter/Exclusion: process.parent_process_name:"msfconsole.exe" or process.name:"msfconsole.exe"

• Scenario: The BICECREAM-2140 file is part of a legitimate third-party firewall management tool, such as Palo Alto Networks Panorama, being used by the PanOS service.
  Filter/Exclusion: process.parent_process_name:"panos.exe" or process.name:"panos.exe"

• Scenario: The BICECREAM-2140 file is being executed by a Windows Service that is part of the enterprise’s firewall management system, such as Cisco ASA or Fortinet FortiGate.
  Filter/Exclusion: process.parent_process_name:"svchost.exe" with a specific service name or process.name:"firewall_service.exe" (if known)