EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120

Hunt Hypothesis

The detection identifies potential adversary use of EQGRP toolset components to establish covert network communication through firewall-exfiltration techniques. SOC teams should proactively hunt for this behavior to uncover stealthy lateral movement or data exfiltration activities in their Azure Sentinel environment.

YARA Rule

rule EQGRP_Implants_Gen4 
{

    meta:
        description = "EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        super_rule = 1
        hash1 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
        hash2 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939"
        hash3 = "8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2"
        hash4 = "6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3"

    strings:
        $s1 = "Command has not yet been coded" fullword ascii
        $s2 = "Beacon Domain  : www.%s.com" fullword ascii
        $s3 = "This command can only be run on a PIX/ASA" fullword ascii
        $s4 = "Warning! Bad or missing Flash values (in section 2 of .dat file)" fullword ascii
        $s5 = "Printing the interface info and security levels. PIX ONLY." fullword ascii

    condition:
        ( uint16(0) == 0x457f and filesize < 3000KB and 3 of them ) or ( all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled maintenance task using BLIQUER-3120 for network configuration
  Filter/Exclusion: process.name != "BLIQUER-3120" OR event.type == "scheduled_task"

• Scenario: Admin manually configuring firewall rules via BLIAR-2110 during incident response
  Filter/Exclusion: user.name == "admin" AND event.type == "manual_configuration"

• Scenario: Automated backup job using BLIQUER-2230 to transfer firewall configurations
  Filter/Exclusion: process.name == "BLIQUER-2230" AND event.action == "backup"

• Scenario: Legitimate software update process using BLIQUER-3030 to deploy new firewall policies
  Filter/Exclusion: process.name == "BLIQUER-3030" AND event.action == "software_update"

• Scenario: System integrity check using BLIAR-2110 to verify firewall file hashes
  Filter/Exclusion: process.name == "BLIAR-2110" AND event.action == "integrity_check"