The detection identifies the creation of the create_http_injection.py file, which is associated with the EQGRP toolset and may indicate initial compromise or command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversarial activity early and prevent further exploitation within the environment.
YARA Rule
rule EQGRP_create_http_injection
{
meta:
description = "EQGRP Toolset Firewall - file create_http_injection.py"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
hash1 = "de52f5621b4f3896d4bd1fb93ee8be827e71a2b189a9f8552b68baed062a992d"
strings:
$x1 = "required by SECONDDATE" fullword ascii
$s1 = "help='Output file name (optional). By default the resulting data is written to stdout.')" fullword ascii
$s2 = "data = '<html><body onload=\"location.reload(true)\"><iframe src=\"%s\" height=\"1\" width=\"1\" scrolling=\"no\" frameborder=\"" ascii
$s3 = "version='%prog 1.0'," fullword ascii
$s4 = "usage='%prog [ ... options ... ] url'," fullword ascii
condition:
( uint16(0) == 0x2123 and filesize < 3KB and ( $x1 or 2 of them ) ) or ( all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: A system administrator is using Ansible to deploy a configuration update that includes a script named create_http_injection.py as part of a legitimate automation task.
Filter/Exclusion: Check for presence of ansible in the process name or command line, or filter by user (e.g., root or admin).
Scenario: A scheduled job (e.g., via cron or Windows Task Scheduler) runs a Python script named create_http_injection.py as part of a routine network monitoring or log parsing task.
Filter/Exclusion: Filter by scheduled job identifiers (e.g., cron or task scheduler), or check for known legitimate script paths (e.g., /opt/monitoring/scripts/).
Scenario: A DevOps engineer is testing a new Python-based firewall rule generator tool (e.g., Firewall Manager Pro) and creates a file named create_http_injection.py temporarily during development.
Filter/Exclusion: Filter by user (e.g., devops), or check for temporary directories (e.g., /tmp/ or /var/tmp/).
Scenario: A security analyst is using Python to write a custom script for HTTP request injection testing as part of a penetration test or security assessment.
Filter/Exclusion: Filter by user (e.g., security-team), or check for presence of test environments (e.g., /opt/test_env/).
Scenario: A CI/CD pipeline (e.g., Jenkins or GitHub Actions) generates a file named create_http_injection.py as part of a build or deployment process.
Filter/Exclusion: Filter by process name (e.g., jenkins or github-runner),