EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py

Hunt Hypothesis

The detection identifies potential adversary use of the extrabacon_1.1.0.1.py script, which may be part of the EQGRP toolset, to establish covert communication or exfiltrate data through firewall evasion techniques. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage persistent threats leveraging compromised Azure environments.

YARA Rule

rule EQGRP_extrabacon 
{

    meta:
        description = "EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "59d60835fe200515ece36a6e87e642ee8059a40cb04ba5f4b9cce7374a3e7735"

    strings:
        $x1 = "To disable password checking on target:" fullword ascii
        $x2 = "[-] target is running" fullword ascii
        $x3 = "[-] problem importing version-specific shellcode from" fullword ascii
        $x4 = "[+] importing version-specific shellcode" fullword ascii
        $s5 = "[-] unsupported target version, abort" fullword ascii

    condition:
        1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled Job for Log Analysis
  Description: A system administrator schedules a Python script named extrabacon_1.1.0.1.py to parse and analyze firewall logs as part of routine log management.
  Filter/Exclusion: process.parent_process_name:"logstash" OR process.parent_process_name:"syslog-ng" OR process.parent_process_name:"rsyslog"

• Scenario: Internal Security Tool Integration
  Description: The script is part of an internal security tool used for detecting anomalies in firewall traffic, and is executed by a trusted security service.
  Filter/Exclusion: process.parent_process_name:"splunk" OR process.parent_process_name:"elastic" OR process.parent_process_name:"siem"

• Scenario: DevOps Pipeline Artifact Processing
  Description: The script is run by a CI/CD pipeline (e.g., Jenkins, GitLab CI) to process firewall configuration files as part of an infrastructure-as-code (IaC) deployment.
  Filter/Exclusion: process.parent_process_name:"jenkins" OR process.parent_process_name:"gitlab-runner" OR process.parent_process_name:"docker"

• Scenario: Admin Task for Firewall Rule Testing
  Description: A system admin uses the script to test and validate new firewall rules in a staging environment before deploying them to production.
  Filter/Exclusion: process.parent_process_name:"powershell" OR process.parent_process_name:"bash" OR process.parent_process_name:"cmd.exe" AND process.command_line:"--test-mode"

• Scenario: Third-Party Tool for Network Monitoring
  Description: The script is part of a third-party network monitoring tool that analyzes firewall traffic for potential security threats.
  Filter/Exclusion: `process.parent_process_name:“nagios” OR process.parent_process_name:“zabbix” OR process.parent_process