EQGRP Toolset Firewall - from files BananaUsurper-2120, BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3

Hunt Hypothesis

The detection identifies potential adversary use of EQGRP toolset components, including suspicious files associated with known malicious activity, indicating possible network traversal or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary presence and prevent lateral movement within the network.

YARA Rule

rule EQGRP_Implants_Gen5 
{

    meta:
        description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, writeJetPlow-2130"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        super_rule = 1
        hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119"
        hash2 = "830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc"
        hash3 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
        hash4 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939"
        hash5 = "8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2"
        hash6 = "6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3"
        hash7 = "d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f"
        hash8 = "464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c"
   
    strings:
        $x1 = "Module and Implant versions do not match.  This module is not compatible with the target implant" fullword ascii
        $s1 = "%s/BF_READ_%08x_%04d%02d%02d_%02d%02d%02d.log" fullword ascii
        $s2 = "%s/BF_%04d%02d%02d.log" fullword ascii
        $s3 = "%s/BF_READ_%08x_%04d%02d%02d_%02d%02d%02d.bin" fullword ascii
    
    condition:
        ( uint16(0) == 0x457f and 1 of ($x*) ) or ( all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Legitimate use of BLIQUER-3030 as part of a scheduled backup job
  Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.command_line contains "backup" or "restore"

• Scenario: BARPUNCH-3110 is used by system administrators to test network connectivity
  Filter/Exclusion: process.user == "admin_group" or process.command_line contains "ping" or "tracert"

• Scenario: BLIAR-2110 is part of a legitimate software update process
  Filter/Exclusion: process.file_path contains "update.exe" or process.parent_process_name == "msiexec.exe"

• Scenario: BPICKER-3100 is used by a third-party tool for log analysis
  Filter/Exclusion: process.file_path contains "log_analyzer.exe" or process.parent_process_name == "logparser.exe"

• Scenario: BLIQUER-2230 is used in a legitimate internal tool for configuration management
  Filter/Exclusion: process.file_path contains "config_tool.exe" or process.user == "config_admin_group"