EQGRP Toolset Firewall - file hexdump.py

Hunt Hypothesis

The hexdump.py file may indicate adversary use of EQGRP Toolset Firewall for data exfiltration or network reconnaissance by leveraging its hexdump functionality to inspect or manipulate network traffic. SOC teams should proactively hunt for this behavior to identify potential lateral movement or data exfiltration attempts within their Azure Sentinel environment.

YARA Rule

rule EQGRP_hexdump 
{

    meta:
        description = "EQGRP Toolset Firewall - file hexdump.py"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "95a9a6a8de60d3215c1c9f82d2d8b2640b42f5cabdc8b50bd1f4be2ea9d7575a"

    strings:
        $s1 = "def hexdump(x,lead=\"[+] \",out=sys.stdout):" fullword ascii
        $s2 = "print >>out, \"%s%04x  \" % (lead,i)," fullword ascii
        $s3 = "print >>out, \"%02X\" % ord(x[i+j])," fullword ascii
        $s4 = "print >>out, sane(x[i:i+16])" fullword ascii

    condition:
        ( uint16(0) == 0x2123 and filesize < 1KB and 2 of ($s*) ) or ( all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: System Administration Task - Hexdump for Debugging
  Description: A system administrator uses hexdump.py as part of a debugging session to inspect binary data from a legitimate log file.
  Filter/Exclusion: process.name: hexdump.py AND file.path: /var/log/

• Scenario: Scheduled Job - Data Conversion for Reporting
  Description: A scheduled job runs hexdump.py to convert binary data from a database export into a human-readable format for reporting.
  Filter/Exclusion: process.name: hexdump.py AND event_id: 10001 (assuming event ID 10001 is used for scheduled jobs)

• Scenario: Security Tool Integration - Hexdump for Forensic Analysis
  Description: A security analyst uses hexdump.py as part of a forensic analysis tool (e.g., Volatility) to inspect memory dumps or disk images.
  Filter/Exclusion: process.name: hexdump.py AND parent_process: volatility

• Scenario: DevOps Pipeline - Binary Inspection for CI/CD
  Description: A DevOps pipeline includes hexdump.py to inspect binary artifacts during the build process to ensure integrity.
  Filter/Exclusion: process.name: hexdump.py AND file.path: /opt/ci_cd/artifacts/

• Scenario: Network Monitoring Tool - Hexdump for Traffic Analysis
  Description: A network monitoring tool (e.g., Wireshark) uses hexdump.py to analyze packet data for troubleshooting network issues.
  Filter/Exclusion: process.name: hexdump.py AND parent_process: wireshark