The hypothesis is that the detection identifies potential adversary use of the EQGRP Toolset Firewall component through suspicious file behavior, which may indicate unauthorized network configuration changes. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary activity that could lead to persistent network access or data exfiltration.
YARA Rule
rule EQGRP_bo
{
meta:
description = "EQGRP Toolset Firewall - file bo"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
hash1 = "aa8b363073e8ae754b1836c30f440d7619890ded92fb5b97c73294b15d22441d"
strings:
$s1 = "ERROR: failed to open %s: %d" fullword ascii
$s2 = "__libc_start_main@@GLIBC_2.0" fullword ascii
$s3 = "serial number: %s" fullword ascii
$s4 = "strerror@@GLIBC_2.0" fullword ascii
$s5 = "ERROR: mmap failed: %d" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 20KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: process.name != "vbm.exe" or process.name != "vagent.exe"
Scenario: Admin task to update Microsoft Endpoint Protection (EPP) definitions
Filter/Exclusion: process.name != "mpsvc.exe" or process.name != "mpcmdrun.exe"
Scenario: Legitimate use of Windows Task Scheduler to run maintenance scripts
Filter/Exclusion: process.name != "schtasks.exe" or process.name != "cmd.exe" (with specific command line arguments)
Scenario: Patching activity using Microsoft Update Assistant
Filter/Exclusion: process.name != "wusa.exe" or process.name != "msiexec.exe"
Scenario: Regular log file rotation using LogParser or PowerShell scripts
Filter/Exclusion: process.name != "logparser.exe" or process.name != "powershell.exe" (with specific script paths or command lines)