EQGRP Toolset Firewall - Callback addresses

Hunt Hypothesis

The detection identifies potential adversary use of EQGRP toolset components to establish outbound callbacks to suspicious IP addresses, indicating possible C2 communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage malware activity and disrupt adversary command and control operations.

YARA Rule

rule EQGRP_callbacks 
{

    meta:
        description = "EQGRP Toolset Firewall - Callback addresses"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"

    strings:
        $s1 = "30.40.50.60:9342" fullword ascii wide /* DoD */
    
    condition:
        1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate scheduled job runs a maintenance script that connects to a known callback address as part of its routine operations.
  Filter/Exclusion: process.name != "maintenance_script.exe" or process.parent_process.name != "task scheduler"

• Scenario: Admin Task - Remote Management Tool
  Description: An administrator uses a remote management tool like Microsoft Endpoint Manager (MEM) or Microsoft Intune to connect to a callback address for device management.
  Filter/Exclusion: process.name != "msmpeng.exe" or process.name != "intunewin.exe"

• Scenario: Log Collection via SIEM Integration
  Description: A log collection agent, such as Splunk Universal Forwarder or ELK Stack, connects to a callback address to send logs to a central SIEM system.
  Filter/Exclusion: process.name != "splunkforwarder.exe" or process.name != "logstash.exe"

• Scenario: Software Update Distribution
  Description: A legitimate software update distribution tool, such as Microsoft Endpoint Update or WSUS, connects to a callback address to fetch updates.
  Filter/Exclusion: process.name != "wuauserv.exe" or process.name != "wsusutil.exe"

• Scenario: Cloud Backup Service Connection
  Description: A cloud backup service like Veeam Backup & Replication or Commvault connects to a callback address to sync data with a remote backup server.
  Filter/Exclusion: process.name != "veeam.exe" or process.name != "cvbackup.exe"