The detection identifies potential adversary use of the BPATROL-2201.exe file, which is associated with the EQGRP toolset, possibly indicating initial compromise or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threat activity that may evade traditional detection methods.
YARA Rule
rule EQGRP_BPATROL_2201
{
meta:
description = "EQGRP Toolset Firewall - file BPATROL-2201.exe"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
hash1 = "aa892750b893033eed2fedb2f4d872f79421174eb217f0c34a933c424ae66395"
strings:
$s1 = "dumpConfig" fullword ascii
$s2 = "getstatusHandler" fullword ascii
$s3 = ".got_loader" fullword ascii
$s4 = "xtractdata" fullword ascii
$s5 = "KEEPGOING" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 40KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Scheduled maintenance task using BPATROL-2201.exe for network configuration updates
Filter/Exclusion: process.parent_process_name == "Task Scheduler" or process.command_line contains "scheduled_task"
Scenario: Legitimate use of BPATROL-2201.exe by the EQGRP Toolset Firewall application for monitoring purposes
Filter/Exclusion: process.process_name == "BPATROL-2201.exe" and process.parent_process_name == "EQGRP Firewall Service"
Scenario: System administrator running BPATROL-2201.exe manually to troubleshoot firewall rules
Filter/Exclusion: user_account == "admin_user" or process.command_line contains "debug"
Scenario: Automated backup job that temporarily executes BPATROL-2201.exe as part of a script
Filter/Exclusion: process.parent_process_name == "backup_service" or process.command_line contains "backup_script"
Scenario: Third-party tool integration that uses BPATROL-2201.exe for log analysis or reporting
Filter/Exclusion: process.parent_process_name == "third_party_tool" or process.command_line contains "log_analysis"