EQGRP Toolset Firewall - from files BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100

Hunt Hypothesis

The detection identifies potential adversary use of EQGRP toolset components to establish or manipulate network firewall rules, indicating possible lateral movement or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threat (APT) activities that may evade traditional detection methods.

YARA Rule

rule EQGRP_Implants_Gen3 
{

    meta:
        description = "EQGRP Toolset Firewall - from files BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        super_rule = 1
        hash1 = "830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc"
        hash2 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
        hash3 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939"
        hash4 = "8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2"
        hash5 = "6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3"
        hash6 = "d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f"

    strings:
        $x1 = "incomplete and must be removed manually.)" fullword ascii
        $s1 = "%s: recv'd an error from the target." fullword ascii
        $s2 = "Unable to fetch the address to the get_uptime_secs function for this OS version" fullword ascii
        $s3 = "upload/activate/de-activate/remove/cmd function failed" fullword ascii

    condition:
        ( uint16(0) == 0x457f and filesize < 6000KB and 2 of them ) or ( all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled maintenance task using BLIQUER-3030 to update firewall configurations
  Filter/Exclusion: process.name IN ("scheduled_task.exe", "task scheduler") or process.parent.name == "task scheduler"

• Scenario: System administrator using BPICKER-3100 to review firewall logs during incident response
  Filter/Exclusion: user.name IN ("admin", "security_ops") or process.name == "log_viewer.exe"

• Scenario: Automated backup process using BLIAR-2110 to transfer firewall rules to a secondary server
  Filter/Exclusion: process.name == "backup_service.exe" or destination_ip IN ("10.0.0.5", "10.0.0.6")

• Scenario: Legitimate use of BLIQUER-2230 by the network team to configure outbound firewall policies
  Filter/Exclusion: process.name == "firewall_configurator.exe" or user.name == "network_admin"

• Scenario: Patch management tool using BARPUNCH-3110 to apply firewall rule updates across the network
  Filter/Exclusion: process.name == "patch_manager.exe" or process.parent.name == "patch_manager.exe"