EQGRP Toolset Firewall - file config_jp1_UA.pl

Hunt Hypothesis

The detection identifies potential adversary use of the EQGRP Toolset Firewall configuration file to establish unauthorized network connections or manipulate firewall rules. SOC teams should proactively hunt for this behavior to uncover covert lateral movement or persistence mechanisms that may evade traditional detection methods.

YARA Rule

rule EQGRP_config_jp1_UA 
{

    meta:
        description = "EQGRP Toolset Firewall - file config_jp1_UA.pl"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "2f50b6e9891e4d7fd24cc467e7f5cfe348f56f6248929fec4bbee42a5001ae56"

    strings:
        $x1 = "This program will configure a JETPLOW Userarea file." fullword ascii
        $x2 = "Error running config_implant." fullword ascii
        $x3 = "NOTE:  IT ASSUMES YOU ARE OPERATING IN THE INSTALL/LP/JP DIRECTORY. THIS ASSUMPTION " fullword ascii
        $x4 = "First IP address for beacon destination [127.0.0.1]" fullword ascii

    condition:
        1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: System administrator is updating the config_jp1_UA.pl file as part of a scheduled maintenance task for the EQGRP Toolset Firewall configuration.
  Filter/Exclusion: Check for the presence of a known admin user (e.g., root, admin, or a specific admin group) in the process owner field, or use a timestamp filter matching the scheduled maintenance window.

• Scenario: A legitimate script or automation tool (e.g., Ansible, Puppet, or Chef) is modifying the config_jp1_UA.pl file during a configuration push to multiple servers.
  Filter/Exclusion: Filter by the source IP of the automation tool or include a field indicating the tool is part of a known configuration management system.

• Scenario: A developer is testing the EQGRP Toolset Firewall and manually edits the config_jp1_UA.pl file in a development or staging environment.
  Filter/Exclusion: Include a field indicating the environment (e.g., dev, test, or staging) or filter by a specific hostname or IP address associated with the test environment.

• Scenario: The file config_jp1_UA.pl is being accessed by a legitimate monitoring or logging tool (e.g., Splunk, ELK, or Graylog) for audit purposes.
  Filter/Exclusion: Filter by the process name or user associated with the monitoring tool, or check for the presence of a known log collection process.

• Scenario: A backup or restore operation is modifying the config_jp1_UA.pl file as part of a routine data protection process.
  Filter/Exclusion: Include a field indicating the process is part of a backup/restore operation (e.g., backup, restore, or snapshot) or filter by a known backup tool (e.g., Veeam, `