EQGRP Toolset Firewall - file BPIE-2201.exe

Hunt Hypothesis

The detection identifies potential adversary use of the BPIE-2201.exe file, which is associated with the EQGRP toolset, indicating possible network firewall manipulation or evasion. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage adversarial activity that could compromise network defenses in Azure Sentinel.

YARA Rule

rule EQGRP_BPIE 
{
    meta:
        description = "EQGRP Toolset Firewall - file BPIE-2201.exe"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "697e80cf2595c85f7c931693946d295994c55da17a400f2c9674014f130b4688"

    strings:
        $s1 = "profProcessPacket" fullword ascii
        $s2 = ".got_loader" fullword ascii
        $s3 = "getTimeSlotCmdHandler" fullword ascii
        $s4 = "getIpIpCmdHandler" fullword ascii
        $s5 = "LOADED" fullword ascii
        $s6 = "profStartScan" fullword ascii
        $s7 = "tmpData.1" fullword ascii
        $s8 = "resetCmdHandler" fullword ascii

    condition:
        ( uint16(0) == 0x457f and filesize < 70KB and 6 of ($s*) )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Legitimate use of BPIE-2201.exe by the EQGRP Toolset Firewall application
  Filter/Exclusion: Check the process parent process (e.g., EQGRP_Service.exe) and verify the file path is within the known installation directory (e.g., C:\Program Files\EQGRP\)

• Scenario: Scheduled maintenance task running BPIE-2201.exe for system diagnostics
  Filter/Exclusion: Include a condition that checks for the presence of a scheduled task with a known name (e.g., EQGRP_Maintenance_Task) or a specific user account (e.g., ServiceAccount)

• Scenario: Admin performing a manual firewall configuration update using BPIE-2201.exe
  Filter/Exclusion: Filter by the user account (e.g., Administrator) and check for command-line arguments that indicate a configuration update (e.g., /config or /update)

• Scenario: Antivirus or endpoint protection tool using BPIE-2201.exe for scanning or remediation
  Filter/Exclusion: Check for the presence of a known antivirus or endpoint tool (e.g., Windows Defender, McAfee, or Symantec) in the process tree or file path

• Scenario: Development or testing environment running BPIE-2201.exe as part of a CI/CD pipeline
  Filter/Exclusion: Include a condition that checks for a specific environment variable (e.g., ENV=TEST) or a known development directory (e.g., C:\Dev\Tools\)