The detection identifies potential adversary use of the EQGRP Toolset Firewall component through the execution of the EPBA.script file, which may be used for network traffic manipulation or firewall rule modification. SOC teams should proactively hunt for this behavior to identify and mitigate potential lateral movement or persistence tactics within their Azure Sentinel environment.
YARA Rule
rule EQGRP_EPBA
{
meta:
description = "EQGRP Toolset Firewall - file EPBA.script"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
hash1 = "53e1af1b410ace0934c152b5df717d8a5a8f5fdd8b9eb329a44d94c39b066ff7"
strings:
$x1 = "./epicbanana_2.0.0.1.py -t 127.0.0.1 --proto=ssh --username=cisco --password=cisco --target_vers=asa804 --mem=NA -p 22 " fullword ascii
$x2 = "-t TARGET_IP, --target_ip=TARGET_IP -- Either 127.0.0.1 or Win Ops IP" fullword ascii
$x3 = "./bride-1100 --lp 127.0.0.1 --implant 127.0.0.1 --sport RHP --dport RHP" fullword ascii
$x4 = "--target_vers=TARGET_VERS target Pix version (pix712, asa804) (REQUIRED)" fullword ascii
$x5 = "-p DEST_PORT, --dest_port=DEST_PORT defaults: telnet=23, ssh=22 (optional) - Change to LOCAL redirect port" fullword ascii
$x6 = "this operation is complete, BananaGlee will" fullword ascii
$x7 = "cd /current/bin/FW/BGXXXX/Install/LP" fullword ascii
condition:
( uint16(0) == 0x2023 and filesize < 7KB and 1 of ($x*) ) or ( 3 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs the EPBA.script as part of a routine system maintenance or patching process.
Filter/Exclusion: process.parent_process_name : "Task Scheduler" OR process.parent_process_name : "schtasks.exe"
Scenario: Admin Task for Network Configuration
Description: A system administrator uses the EPBA.script to configure firewall rules or update network policies as part of a routine administrative task.
Filter/Exclusion: process.user : "Administrator" AND process.command_line : "/c EPBA.script -config"
Scenario: Third-Party Tool Integration
Description: A third-party tool, such as SolarWinds Network Configuration Manager, executes the EPBA.script as part of its integration with the EQGRP firewall system.
Filter/Exclusion: process.parent_process_name : "SolarWinds*" OR process.parent_process_name : "nwcm.exe"
Scenario: Automated Compliance Scan
Description: A compliance tool like Microsoft Intune or Microsoft Defender for Endpoint runs the EPBA.script to validate firewall configurations during an automated audit.
Filter/Exclusion: process.parent_process_name : "Intune*" OR process.parent_process_name : "DefenderForEndpoint"
Scenario: Legacy Script for Legacy System Compatibility
Description: An older system or legacy application uses the EPBA.script to maintain compatibility with outdated firewall configurations.
Filter/Exclusion: process.file_path : "C:\Legacy\Scripts\EPBA.script" OR process.file_path : "C:\OldTools\EPBA.script"