The detection identifies potential adversary use of the BpfCreator-RHEL4 tool, which may be used to establish persistence or manipulate network traffic. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise and prevent lateral movement or data exfiltration.
YARA Rule
rule EQGRP_BpfCreator_RHEL4
{
meta:
description = "EQGRP Toolset Firewall - file BpfCreator-RHEL4"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
hash1 = "bd7303393409623cabf0fcf2127a0b81fae52fe40a0d2b8db0f9f092902bbd92"
strings:
$s1 = "usage %s \"<tcpdump pcap string>\" <outfile>" fullword ascii
$s2 = "error reading dump file: %s" fullword ascii
$s3 = "truncated dump file; tried to read %u captured bytes, only got %lu" fullword ascii
$s4 = "%s: link-layer type %d isn't supported in savefiles" fullword ascii
$s5 = "DLT %d is not one of the DLTs supported by this device" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 2000KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: System update or package installation using yum or dnf that includes the BpfCreator-RHEL4 file as part of a dependency or package metadata.
Filter/Exclusion: Check for presence in /usr or /opt directories, and exclude files associated with package managers (/var/cache/yum, /var/lib/dnf).
Scenario: Scheduled job or cron task that generates temporary files or logs containing the string BpfCreator-RHEL4 as part of a script or log message.
Filter/Exclusion: Filter by file path (e.g., /var/log/, /tmp/) or check for presence in log files rather than executable files.
Scenario: Administrative task involving network configuration or firewall rule management using tools like iptables, firewalld, or nftables, where the string BpfCreator-RHEL4 appears in a script or configuration file.
Filter/Exclusion: Exclude files in /etc/firewalld/, /etc/iptables/, or /etc/nftables/ and check for script execution context.
Scenario: Use of a legitimate security or network analysis tool (e.g., tcpdump, Wireshark, or tshark) that includes the string BpfCreator-RHEL4 in its output or configuration.
Filter/Exclusion: Exclude files or processes related to packet capture tools, or filter based on process names like tcpdump, wireshark, or tshark.
Scenario: Custom script or automation tool (e.g., Ansible, Puppet, or Chef) that includes the string BpfCreator-RHEL4 in its templates or configuration files during deployment.
Filter/Exclusion: Exclude files in configuration management directories (e.g., /etc/ansible/, `/var/lib