EQGRP Toolset Firewall - Extrabacon exploit output

Hunt Hypothesis

The detection identifies potential exploitation of the Extrabacon tool within the EQGRP toolset, indicating possible lateral movement or persistence in the network. SOC teams should proactively hunt for this behavior to uncover early-stage adversarial activity that may evade traditional detection methods in Azure Sentinel.

YARA Rule

rule EQGRP_Extrabacon_Output 
{

    meta:
        description = "EQGRP Toolset Firewall - Extrabacon exploit output"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"

    strings:
        $s1 = "|###[ SNMPresponse ]###" fullword ascii
        $s2 = "[+] generating exploit for exec mode pass-disable" fullword ascii
        $s3 = "[+] building payload for mode pass-disable" fullword ascii
        $s4 = "[+] Executing:  extrabacon" fullword ascii
        $s5 = "appended AAAADMINAUTH_ENABLE payload" fullword ascii
   
    condition:
        2 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate scheduled job runs a script that outputs similar strings to the exploit output due to log formatting or command-line arguments.
  Filter/Exclusion: process.name != "maintenance_script.sh" OR process.parent.name != "cron"

• Scenario: Admin Performing Manual Firewall Rule Testing
  Description: An administrator manually tests a firewall rule using the eqgrp_toolset command, which generates output matching the exploit pattern.
  Filter/Exclusion: user.name != "admin" OR process.name != "eqgrp_toolset"

• Scenario: Log Rotation or File Sync Job
  Description: A log rotation or file synchronization job (e.g., logrotate, rsync) processes files containing the string “extrabacon” in their content.
  Filter/Exclusion: process.name != "logrotate" AND process.name != "rsync"

• Scenario: Application Using EQGRP Toolset for Legitimate Network Monitoring
  Description: A network monitoring tool (e.g., tcpdump, Wireshark, or Snort) uses the eqgrp_toolset for packet analysis and outputs similar strings.
  Filter/Exclusion: process.name != "tcpdump" AND process.name != "snort"

• Scenario: User-Initiated System Diagnostics or Troubleshooting
  Description: A user runs a diagnostic script or tool (e.g., diag_tool, syscheck) that outputs strings matching the exploit pattern during troubleshooting.
  Filter/Exclusion: user.name != "user" OR process.name != "diag_tool"